NSSCertDBTrustDomain.h (12265B)
1 /* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */ 2 /* vim: set ts=8 sts=2 et sw=2 tw=80: */ 3 /* This Source Code Form is subject to the terms of the Mozilla Public 4 * License, v. 2.0. If a copy of the MPL was not distributed with this 5 * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ 6 7 #ifndef NSSCertDBTrustDomain_h 8 #define NSSCertDBTrustDomain_h 9 10 #include "CertVerifier.h" 11 #include "CRLiteTimestamp.h" 12 #include "ScopedNSSTypes.h" 13 #include "mozilla/BasePrincipal.h" 14 #include "mozilla/TimeStamp.h" 15 #include "mozpkix/pkixtypes.h" 16 #include "nsICertStorage.h" 17 #include "nsString.h" 18 #include "secmodt.h" 19 20 namespace mozilla { 21 namespace psm { 22 23 enum class NSSDBConfig { 24 ReadWrite = 0, 25 ReadOnly = 1, 26 }; 27 28 enum class PKCS11DBConfig { 29 DoNotLoadModules = 0, 30 LoadModules = 1, 31 }; 32 33 enum class OCSPFetchStatus : uint16_t { 34 NotFetched = 0, 35 Fetched = 1, 36 }; 37 38 // Helper struct to associate the DER bytes of a potential issuer certificate 39 // with its source (i.e. where it came from). 40 struct IssuerCandidateWithSource { 41 mozilla::pkix::Input mDER; // non-owning 42 IssuerSource mIssuerSource; 43 }; 44 45 SECStatus InitializeNSS(const nsACString& dir, NSSDBConfig nssDbConfig, 46 PKCS11DBConfig pkcs11DbConfig); 47 48 void DisableMD5(); 49 50 /** 51 * Loads root certificates from a module. 52 * 53 * @param dir 54 * The path to the directory containing the NSS builtin roots module. 55 * Usually the same as the path to the other NSS shared libraries. 56 * If empty, the (library) path will be searched. 57 * @return true if the roots were successfully loaded, false otherwise. 58 */ 59 60 bool LoadLoadableRoots(const nsCString& dir); 61 62 /** 63 * Loads root certificates from libxul. 64 * 65 * @return true if the roots were successfully loaded, false otherwise. 66 */ 67 bool LoadLoadableRootsFromXul(); 68 69 /** 70 * Loads the OS client certs module. 71 * 72 * @return true if the module was successfully loaded, false otherwise. 73 */ 74 bool LoadOSClientCertsModule(); 75 76 /** 77 * Loads the IPC client certs module. 78 * 79 * @param dir 80 * The path to the directory containing the module. This should be the 81 * same as where all of the other gecko libraries live. 82 * @return true if the module was successfully loaded, false otherwise. 83 */ 84 bool LoadIPCClientCertsModule(); 85 86 nsresult DefaultServerNicknameForCert(const CERTCertificate* cert, 87 /*out*/ nsCString& nickname); 88 89 /** 90 * Build nsTArray<uint8_t>s out of the issuer, serial, subject and public key 91 * data from the supplied certificate for use in revocation checks. 92 * 93 * @param certDER 94 * The Input that references the encoded bytes of the certificate. 95 * @param endEntityOrCA 96 * Whether the certificate is an end-entity or CA. 97 * @param out encIssuer 98 * The array to populate with issuer data. 99 * @param out encSerial 100 * The array to populate with serial number data. 101 * @param out encSubject 102 * The array to populate with subject data. 103 * @param out encPubKey 104 * The array to populate with public key data. 105 * @return 106 * Result::Success, unless there's a problem decoding the certificate. 107 */ 108 pkix::Result BuildRevocationCheckArrays(pkix::Input certDER, 109 pkix::EndEntityOrCA endEntityOrCA, 110 /*out*/ nsTArray<uint8_t>& issuerBytes, 111 /*out*/ nsTArray<uint8_t>& serialBytes, 112 /*out*/ nsTArray<uint8_t>& subjectBytes, 113 /*out*/ nsTArray<uint8_t>& pubKeyBytes); 114 115 class NSSCertDBTrustDomain : public mozilla::pkix::TrustDomain { 116 public: 117 typedef mozilla::pkix::Result Result; 118 119 enum RevocationCheckMode { 120 RevocationCheckLocalOnly = 0, 121 RevocationCheckMayFetch = 1, 122 RevocationCheckRequired = 2, 123 }; 124 125 NSSCertDBTrustDomain( 126 SECTrustType certDBTrustType, RevocationCheckMode ocspFetching, 127 OCSPCache& ocspCache, SignatureCache* signatureCache, 128 TrustCache* trustCache, void* pinArg, 129 mozilla::TimeDuration ocspTimeoutSoft, 130 mozilla::TimeDuration ocspTimeoutHard, uint32_t certShortLifetimeInDays, 131 unsigned int minRSABits, CRLiteMode crliteMode, 132 const OriginAttributes& originAttributes, 133 const nsTArray<mozilla::pkix::Input>& thirdPartyRootInputs, 134 const nsTArray<mozilla::pkix::Input>& thirdPartyIntermediateInputs, 135 const Maybe<nsTArray<nsTArray<uint8_t>>>& extraCertificates, 136 const mozilla::pkix::Input& encodedSCTsFromTLS, 137 const UniquePtr<mozilla::ct::MultiLogCTVerifier>& ctVerifier, 138 /*out*/ nsTArray<nsTArray<uint8_t>>& builtChain, 139 /*optional*/ PinningTelemetryInfo* pinningTelemetryInfo = nullptr, 140 /*optional*/ const char* hostname = nullptr); 141 142 virtual Result FindIssuer(mozilla::pkix::Input encodedIssuerName, 143 IssuerChecker& checker, 144 mozilla::pkix::Time time) override; 145 146 virtual Result GetCertTrust( 147 mozilla::pkix::EndEntityOrCA endEntityOrCA, 148 const mozilla::pkix::CertPolicyId& policy, 149 mozilla::pkix::Input candidateCertDER, 150 /*out*/ mozilla::pkix::TrustLevel& trustLevel) override; 151 152 virtual Result CheckSignatureDigestAlgorithm( 153 mozilla::pkix::DigestAlgorithm digestAlg, 154 mozilla::pkix::EndEntityOrCA endEntityOrCA, 155 mozilla::pkix::Time notBefore) override; 156 157 virtual Result CheckRSAPublicKeyModulusSizeInBits( 158 mozilla::pkix::EndEntityOrCA endEntityOrCA, 159 unsigned int modulusSizeInBits) override; 160 161 virtual Result VerifyRSAPKCS1SignedData( 162 mozilla::pkix::Input data, mozilla::pkix::DigestAlgorithm digestAlgorithm, 163 mozilla::pkix::Input signature, 164 mozilla::pkix::Input subjectPublicKeyInfo) override; 165 166 virtual Result VerifyRSAPSSSignedData( 167 mozilla::pkix::Input data, mozilla::pkix::DigestAlgorithm digestAlgorithm, 168 mozilla::pkix::Input signature, 169 mozilla::pkix::Input subjectPublicKeyInfo) override; 170 171 virtual Result CheckECDSACurveIsAcceptable( 172 mozilla::pkix::EndEntityOrCA endEntityOrCA, 173 mozilla::pkix::NamedCurve curve) override; 174 175 virtual Result VerifyECDSASignedData( 176 mozilla::pkix::Input data, mozilla::pkix::DigestAlgorithm digestAlgorithm, 177 mozilla::pkix::Input signature, 178 mozilla::pkix::Input subjectPublicKeyInfo) override; 179 180 virtual Result DigestBuf(mozilla::pkix::Input item, 181 mozilla::pkix::DigestAlgorithm digestAlg, 182 /*out*/ uint8_t* digestBuf, 183 size_t digestBufLen) override; 184 185 virtual Result CheckValidityIsAcceptable( 186 mozilla::pkix::Time notBefore, mozilla::pkix::Time notAfter, 187 mozilla::pkix::EndEntityOrCA endEntityOrCA, 188 mozilla::pkix::KeyPurposeId keyPurpose) override; 189 190 virtual Result CheckRevocation( 191 mozilla::pkix::EndEntityOrCA endEntityOrCA, 192 const mozilla::pkix::CertID& certID, mozilla::pkix::Time time, 193 mozilla::pkix::Duration validityDuration, 194 /*optional*/ const mozilla::pkix::Input* stapledOCSPResponse, 195 /*optional*/ const mozilla::pkix::Input* aiaExtension) override; 196 197 virtual Result IsChainValid( 198 const mozilla::pkix::DERArray& certChain, mozilla::pkix::Time time, 199 const mozilla::pkix::CertPolicyId& requiredPolicy) override; 200 201 virtual void NoteAuxiliaryExtension( 202 mozilla::pkix::AuxiliaryExtension extension, 203 mozilla::pkix::Input extensionData) override; 204 205 // Resets the OCSP stapling status and SCT lists accumulated during 206 // the chain building. 207 void ResetAccumulatedState(); 208 // Resets state related to a fully-built candidate chain that becomes invalid 209 // if that chain is found to not be acceptable. 210 void ResetCandidateBuiltChainState(); 211 212 CertVerifier::OCSPStaplingStatus GetOCSPStaplingStatus() const { 213 return mOCSPStaplingStatus; 214 } 215 216 // SCT lists (see Certificate Transparency) extracted during 217 // certificate verification. Note that the returned Inputs are invalidated 218 // the next time a chain is built and by ResetAccumulatedState method 219 // (and when the TrustDomain object is destroyed). 220 221 mozilla::pkix::Input GetSCTListFromCertificate() const; 222 mozilla::pkix::Input GetSCTListFromOCSPStapling() const; 223 224 Maybe<ct::CTVerifyResult>& GetCachedCTVerifyResult(); 225 226 bool GetIsBuiltChainRootBuiltInRoot() const; 227 228 OCSPFetchStatus GetOCSPFetchStatus() { return mOCSPFetchStatus; } 229 IssuerSources GetIssuerSources() { return mIssuerSources; } 230 Maybe<mozilla::pkix::Time> GetDistrustAfterTime() { 231 return mDistrustAfterTime; 232 } 233 234 private: 235 Result CheckCRLite( 236 const nsTArray<uint8_t>& issuerSubjectPublicKeyInfoBytes, 237 const nsTArray<uint8_t>& serialNumberBytes, 238 const nsTArray<RefPtr<nsICRLiteTimestamp>>& crliteTimestamps, 239 bool& filterCoversCertificate); 240 241 enum EncodedResponseSource { 242 ResponseIsFromNetwork = 1, 243 ResponseWasStapled = 2 244 }; 245 Result VerifyAndMaybeCacheEncodedOCSPResponse( 246 const mozilla::pkix::CertID& certID, mozilla::pkix::Time time, 247 uint16_t maxLifetimeInDays, mozilla::pkix::Input encodedResponse, 248 EncodedResponseSource responseSource, /*out*/ bool& expired); 249 TimeDuration GetOCSPTimeout() const; 250 251 Result CheckRevocationByCRLite(const mozilla::pkix::CertID& certID, 252 mozilla::pkix::Time time, 253 /*out*/ bool& crliteCoversCertificate); 254 255 Result CheckRevocationByOCSP( 256 const mozilla::pkix::CertID& certID, mozilla::pkix::Time time, 257 mozilla::pkix::Duration validityDuration, const nsCString& aiaLocation, 258 /*optional*/ const mozilla::pkix::Input* stapledOCSPResponse); 259 260 Result SynchronousCheckRevocationWithServer( 261 const mozilla::pkix::CertID& certID, const nsCString& aiaLocation, 262 mozilla::pkix::Time time, uint16_t maxOCSPLifetimeInDays, 263 const Result cachedResponseResult, 264 const Result stapledOCSPResponseResult); 265 Result HandleOCSPFailure(const Result cachedResponseResult, 266 const Result stapledOCSPResponseResult, 267 const Result error); 268 269 bool ShouldSkipSelfSignedNonTrustAnchor(mozilla::pkix::Input certDER); 270 Result CheckCandidates(IssuerChecker& checker, 271 nsTArray<IssuerCandidateWithSource>& candidates, 272 mozilla::pkix::Input* nameConstraintsInputPtr, 273 bool& keepGoing); 274 275 const SECTrustType mCertDBTrustType; 276 const RevocationCheckMode mOCSPFetching; 277 OCSPCache& mOCSPCache; // non-owning! 278 SignatureCache* mSignatureCache; // non-owning! 279 TrustCache* mTrustCache; // non-owning! 280 void* mPinArg; // non-owning! 281 const mozilla::TimeDuration mOCSPTimeoutSoft; 282 const mozilla::TimeDuration mOCSPTimeoutHard; 283 const uint32_t mCertShortLifetimeInDays; 284 const unsigned int mMinRSABits; 285 CRLiteMode mCRLiteMode; 286 const OriginAttributes& mOriginAttributes; 287 const nsTArray<mozilla::pkix::Input>& mThirdPartyRootInputs; // non-owning 288 const nsTArray<mozilla::pkix::Input>& 289 mThirdPartyIntermediateInputs; // non-owning 290 const Maybe<nsTArray<nsTArray<uint8_t>>>& mExtraCertificates; // non-owning 291 const mozilla::pkix::Input& mEncodedSCTsFromTLS; // non-owning 292 const UniquePtr<mozilla::ct::MultiLogCTVerifier>& mCTVerifier; // non-owning 293 nsTArray<nsTArray<uint8_t>>& mBuiltChain; // non-owning 294 bool mIsBuiltChainRootBuiltInRoot; 295 PinningTelemetryInfo* mPinningTelemetryInfo; 296 const char* mHostname; // non-owning - only used for pinning checks 297 nsCOMPtr<nsICertStorage> mCertStorage; 298 CertVerifier::OCSPStaplingStatus mOCSPStaplingStatus; 299 // Certificate Transparency data extracted during certificate verification 300 UniqueSECItem mSCTListFromCertificate; 301 UniqueSECItem mSCTListFromOCSPStapling; 302 303 // The built-in roots module, if available. 304 UniqueSECMODModule mBuiltInRootsModule; 305 306 OCSPFetchStatus mOCSPFetchStatus; 307 IssuerSources mIssuerSources; 308 Maybe<mozilla::pkix::Time> mDistrustAfterTime; 309 Maybe<mozilla::ct::CTVerifyResult> mCTVerifyResult; 310 }; 311 312 } // namespace psm 313 } // namespace mozilla 314 315 #endif // NSSCertDBTrustDomain_h