[ tor-browser ].git.dasho

QWACTrustDomain.cpp (5665B)
      1 /* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
      2 /* vim: set ts=8 sts=2 et sw=2 tw=80: */
      3 /* This Source Code Form is subject to the terms of the Mozilla Public
      4 * License, v. 2.0. If a copy of the MPL was not distributed with this
      5 * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
      6 
      7 #include "QWACTrustDomain.h"
      8 
      9 #include "mozpkix/pkixnss.h"
     10 #include "mozpkix/pkixutil.h"
     11 #include "qwac_trust_anchors/qwac_trust_anchors_ffi_generated.h"
     12 
     13 using namespace mozilla::pkix;
     14 
     15 namespace mozilla {
     16 namespace psm {
     17 
     18 QWACTrustDomain::QWACTrustDomain(
     19    nsTArray<RefPtr<nsIX509Cert>>& collectedCerts) {
     20  for (const auto& cert : collectedCerts) {
     21    nsTArray<uint8_t> der;
     22    if (NS_SUCCEEDED(cert->GetRawDER(der))) {
     23      mIntermediates.AppendElement(std::move(der));
     24    }
     25  }
     26 }
     27 
     28 pkix::Result QWACTrustDomain::FindIssuer(Input encodedIssuerName,
     29                                         IssuerChecker& checker, Time) {
     30  nsTArray<Input> candidates;
     31 
     32  nsTArray<uint8_t> subject(encodedIssuerName.UnsafeGetData(),
     33                            encodedIssuerName.GetLength());
     34  nsTArray<nsTArray<uint8_t>> qwacTrustAnchors;
     35  find_qwac_trust_anchors_by_subject(&subject, &qwacTrustAnchors);
     36 
     37  for (const auto& trustAnchor : qwacTrustAnchors) {
     38    Input trustAnchorInput;
     39    pkix::Result rv =
     40        trustAnchorInput.Init(trustAnchor.Elements(), trustAnchor.Length());
     41    // This should never fail, since the possible trust anchors are all
     42    // hard-coded and they should never be too long.
     43    if (rv != Success) {
     44      return rv;
     45    }
     46    candidates.AppendElement(std::move(trustAnchorInput));
     47  }
     48 
     49  for (const auto& intermediate : mIntermediates) {
     50    Input intermediateInput;
     51    pkix::Result rv =
     52        intermediateInput.Init(intermediate.Elements(), intermediate.Length());
     53    // These intermediates are from the TLS handshake and could be too long.
     54    if (rv != Success) {
     55      continue;
     56    }
     57    candidates.AppendElement(std::move(intermediateInput));
     58  }
     59 
     60  for (const auto& candidate : candidates) {
     61    bool keepGoing;
     62    pkix::Result rv = checker.Check(
     63        candidate, nullptr /*additionalNameConstraints*/, keepGoing);
     64    if (rv != Success) {
     65      return rv;
     66    }
     67    if (!keepGoing) {
     68      break;
     69    }
     70  }
     71 
     72  return Success;
     73 }
     74 
     75 pkix::Result QWACTrustDomain::GetCertTrust(EndEntityOrCA endEntityOrCA,
     76                                           const CertPolicyId& policy,
     77                                           Input candidateCertDER,
     78                                           /*out*/ TrustLevel& trustLevel) {
     79  BackCert backCert(candidateCertDER, endEntityOrCA, nullptr);
     80  Result rv = backCert.Init();
     81  if (rv != Success) {
     82    return rv;
     83  }
     84  Input subjectInput(backCert.GetSubject());
     85  nsTArray<uint8_t> subject(subjectInput.UnsafeGetData(),
     86                            subjectInput.GetLength());
     87  nsTArray<uint8_t> candidateCert(candidateCertDER.UnsafeGetData(),
     88                                  candidateCertDER.GetLength());
     89  if (is_qwac_trust_anchor(&subject, &candidateCert)) {
     90    trustLevel = TrustLevel::TrustAnchor;
     91  } else {
     92    trustLevel = TrustLevel::InheritsTrust;
     93  }
     94 
     95  return Success;
     96 }
     97 
     98 pkix::Result QWACTrustDomain::DigestBuf(Input item, DigestAlgorithm digestAlg,
     99                                        /*out*/ uint8_t* digestBuf,
    100                                        size_t digestBufLen) {
    101  return DigestBufNSS(item, digestAlg, digestBuf, digestBufLen);
    102 }
    103 
    104 pkix::Result QWACTrustDomain::CheckRevocation(EndEntityOrCA, const CertID&,
    105                                              Time, Duration,
    106                                              /*optional*/ const Input*,
    107                                              /*optional*/ const Input*) {
    108  return Success;
    109 }
    110 
    111 pkix::Result QWACTrustDomain::IsChainValid(const DERArray& certChain, Time time,
    112                                           const CertPolicyId& requiredPolicy) {
    113  return Success;
    114 }
    115 
    116 pkix::Result QWACTrustDomain::CheckSignatureDigestAlgorithm(
    117    DigestAlgorithm digestAlg, EndEntityOrCA, Time) {
    118  return Success;
    119 }
    120 
    121 pkix::Result QWACTrustDomain::CheckRSAPublicKeyModulusSizeInBits(
    122    EndEntityOrCA /*endEntityOrCA*/, unsigned int modulusSizeInBits) {
    123  return Success;
    124 }
    125 
    126 pkix::Result QWACTrustDomain::VerifyRSAPKCS1SignedData(
    127    Input data, DigestAlgorithm digestAlgorithm, Input signature,
    128    Input subjectPublicKeyInfo) {
    129  return VerifyRSAPKCS1SignedDataNSS(data, digestAlgorithm, signature,
    130                                     subjectPublicKeyInfo, nullptr);
    131 }
    132 
    133 pkix::Result QWACTrustDomain::VerifyRSAPSSSignedData(
    134    Input data, DigestAlgorithm digestAlgorithm, Input signature,
    135    Input subjectPublicKeyInfo) {
    136  return VerifyRSAPSSSignedDataNSS(data, digestAlgorithm, signature,
    137                                   subjectPublicKeyInfo, nullptr);
    138 }
    139 
    140 pkix::Result QWACTrustDomain::CheckECDSACurveIsAcceptable(
    141    EndEntityOrCA /*endEntityOrCA*/, NamedCurve curve) {
    142  return Success;
    143 }
    144 
    145 pkix::Result QWACTrustDomain::VerifyECDSASignedData(
    146    Input data, DigestAlgorithm digestAlgorithm, Input signature,
    147    Input subjectPublicKeyInfo) {
    148  return VerifyECDSASignedDataNSS(data, digestAlgorithm, signature,
    149                                  subjectPublicKeyInfo, nullptr);
    150 }
    151 
    152 pkix::Result QWACTrustDomain::CheckValidityIsAcceptable(
    153    Time /*notBefore*/, Time /*notAfter*/, EndEntityOrCA /*endEntityOrCA*/,
    154    KeyPurposeId /*keyPurpose*/) {
    155  return Success;
    156 }
    157 
    158 void QWACTrustDomain::NoteAuxiliaryExtension(AuxiliaryExtension /*extension*/,
    159                                             Input /*extensionData*/) {}
    160 
    161 }  // namespace psm
    162 }  // namespace mozilla
	tor-browser The Tor Browser
	git clone https://git.dasho.dev/tor-browser.git
	Log \| Files \| Refs \| README \| LICENSE