tor-browser

The Tor Browser
git clone https://git.dasho.dev/tor-browser.git
Log | Files | Refs | README | LICENSE

TLSClientAuthCertSelection.h (4989B)

      1 /* -*- Mode: C++; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*-
      2 *
      3 * This Source Code Form is subject to the terms of the Mozilla Public
      4 * License, v. 2.0. If a copy of the MPL was not distributed with this
      5 * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
      6 
      7 #ifndef SECURITY_MANAGER_SSL_TLSCLIENTAUTHCERTSELECTION_H_
      8 #define SECURITY_MANAGER_SSL_TLSCLIENTAUTHCERTSELECTION_H_
      9 
     10 #include "NSSSocketControl.h"
     11 #include "nsIX509Cert.h"
     12 #include "nsNSSIOLayer.h"
     13 #include "nsThreadUtils.h"
     14 #include "ssl.h"
     15 
     16 class NSSSocketControl;
     17 
     18 // NSS callback to select a client authentication certificate. See documentation
     19 // at the top of TLSClientAuthCertSelection.cpp.
     20 SECStatus SSLGetClientAuthDataHook(void* arg, PRFileDesc* socket,
     21                                   CERTDistNames* caNames,
     22                                   CERTCertificate** pRetCert,
     23                                   SECKEYPrivateKey** pRetKey);
     24 
     25 // Does the actual work of selecting a client authentication certificate for a
     26 // particular NSSSocketControl.
     27 void DoSelectClientAuthCertificate(NSSSocketControl* info,
     28                                   mozilla::UniqueCERTCertificate&& serverCert,
     29                                   nsTArray<nsTArray<uint8_t>>&& caNames);
     30 
     31 // Base class for continuing the operation of selecting a client authentication
     32 // certificate. Should not be used directly.
     33 class ClientAuthCertificateSelectedBase : public mozilla::Runnable {
     34 public:
     35  ClientAuthCertificateSelectedBase()
     36      : Runnable("ClientAuthCertificateSelectedBase") {}
     37 
     38  // Call to indicate that a client authentication certificate has been
     39  // selected.
     40  void SetSelectedClientAuthData(
     41      nsTArray<uint8_t>&& selectedCertBytes,
     42      nsTArray<nsTArray<uint8_t>>&& selectedCertChainBytes);
     43 
     44 protected:
     45  nsTArray<uint8_t> mSelectedCertBytes;
     46  // The bytes of the certificates that form a chain from the selected
     47  // certificate to a root. Necessary so NSS can include them in the TLS
     48  // handshake (see note about mClientCertChain in NSSSocketControl).
     49  nsTArray<nsTArray<uint8_t>> mSelectedCertChainBytes;
     50 };
     51 
     52 class ClientAuthCertificateSelected : public ClientAuthCertificateSelectedBase {
     53 public:
     54  explicit ClientAuthCertificateSelected(NSSSocketControl* socketInfo)
     55      : mSocketInfo(socketInfo) {}
     56 
     57  NS_IMETHOD Run() override;
     58 
     59 private:
     60  RefPtr<NSSSocketControl> mSocketInfo;
     61 };
     62 
     63 // This class is used to store the needed information for invoking the client
     64 // cert selection UI.
     65 class ClientAuthInfo final {
     66 public:
     67  explicit ClientAuthInfo(const nsACString& hostName,
     68                          const mozilla::OriginAttributes& originAttributes,
     69                          int32_t port, uint32_t providerFlags,
     70                          uint32_t providerTlsFlags);
     71  ~ClientAuthInfo() = default;
     72  ClientAuthInfo(ClientAuthInfo&& aOther) noexcept;
     73 
     74  const nsACString& HostName() const;
     75  const mozilla::OriginAttributes& OriginAttributesRef() const;
     76  int32_t Port() const;
     77  uint32_t ProviderFlags() const;
     78  uint32_t ProviderTlsFlags() const;
     79 
     80  ClientAuthInfo(const ClientAuthInfo&) = delete;
     81  void operator=(const ClientAuthInfo&) = delete;
     82 
     83 private:
     84  nsCString mHostName;
     85  mozilla::OriginAttributes mOriginAttributes;
     86  int32_t mPort;
     87  uint32_t mProviderFlags;
     88  uint32_t mProviderTlsFlags;
     89 };
     90 
     91 // Helper runnable to select a client authentication certificate. Gets created
     92 // on the socket thread or an IPC thread, runs on the main thread, and then runs
     93 // its continuation on the socket thread.
     94 class SelectClientAuthCertificate : public mozilla::Runnable {
     95 public:
     96  SelectClientAuthCertificate(
     97      ClientAuthInfo&& info, mozilla::UniqueCERTCertificate&& serverCert,
     98      mozilla::UniqueCERTCertList&& potentialClientCertificates,
     99      nsTArray<nsTArray<nsTArray<uint8_t>>>&& potentialClientCertificateChains,
    100      nsTArray<nsTArray<uint8_t>>&& caNames,
    101      ClientAuthCertificateSelectedBase* continuation, uint64_t browserId)
    102      : Runnable("SelectClientAuthCertificate"),
    103        mInfo(std::move(info)),
    104        mServerCert(std::move(serverCert)),
    105        mPotentialClientCertificates(std::move(potentialClientCertificates)),
    106        mPotentialClientCertificateChains(
    107            std::move(potentialClientCertificateChains)),
    108        mCANames(std::move(caNames)),
    109        mContinuation(continuation),
    110        mBrowserId(browserId) {}
    111 
    112  NS_IMETHOD Run() override;
    113 
    114  const ClientAuthInfo& Info() { return mInfo; }
    115  void DispatchContinuation(nsTArray<uint8_t>&& selectedCertBytes);
    116 
    117 private:
    118  ClientAuthInfo mInfo;
    119  mozilla::UniqueCERTCertificate mServerCert;
    120  mozilla::UniqueCERTCertList mPotentialClientCertificates;
    121  nsTArray<nsTArray<nsTArray<uint8_t>>> mPotentialClientCertificateChains;
    122  nsTArray<nsTArray<uint8_t>> mCANames;
    123  RefPtr<ClientAuthCertificateSelectedBase> mContinuation;
    124 
    125  uint64_t mBrowserId;
    126  nsCOMPtr<nsIInterfaceRequestor> mSecurityCallbacks;
    127 };
    128 
    129 #endif  // SECURITY_MANAGER_SSL_TLSCLIENTAUTHCERTSELECTION_H_