tor-browser

The Tor Browser
git clone https://git.dasho.dev/tor-browser.git
Log | Files | Refs | README | LICENSE

VerifySSLServerCertParent.cpp (5825B)

      1 /* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
      2 /* vim: set sw=2 ts=8 et tw=80 : */
      3 
      4 /* This Source Code Form is subject to the terms of the Mozilla Public
      5 * License, v. 2.0. If a copy of the MPL was not distributed with this
      6 * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
      7 
      8 #include "VerifySSLServerCertParent.h"
      9 
     10 #include "cert.h"
     11 #include "nsNSSComponent.h"
     12 #include "secerr.h"
     13 #include "SharedCertVerifier.h"
     14 #include "NSSCertDBTrustDomain.h"
     15 #include "SSLServerCertVerification.h"
     16 #include "nsNSSIOLayer.h"
     17 #include "nsISocketProvider.h"
     18 
     19 extern mozilla::LazyLogModule gPIPNSSLog;
     20 
     21 using namespace mozilla::pkix;
     22 
     23 namespace mozilla {
     24 namespace psm {
     25 
     26 VerifySSLServerCertParent::VerifySSLServerCertParent() {}
     27 
     28 void VerifySSLServerCertParent::OnVerifiedSSLServerCert(
     29    const nsTArray<ByteArray>& aBuiltCertChain,
     30    uint16_t aCertificateTransparencyStatus, EVStatus aEVStatus,
     31    bool aSucceeded, PRErrorCode aFinalError,
     32    nsITransportSecurityInfo::OverridableErrorCategory
     33        aOverridableErrorCategory,
     34    bool aIsBuiltCertChainRootBuiltInRoot, bool aMadeOCSPRequests) {
     35  if (!CanSend()) {
     36    return;
     37  }
     38 
     39  (void)SendOnVerifySSLServerCertFinished(
     40      aBuiltCertChain, aCertificateTransparencyStatus, aEVStatus, aSucceeded,
     41      aFinalError, aOverridableErrorCategory, aIsBuiltCertChainRootBuiltInRoot,
     42      aMadeOCSPRequests);
     43 
     44  Close();
     45 }
     46 
     47 namespace {
     48 
     49 class IPCServerCertVerificationResult final
     50    : public BaseSSLServerCertVerificationResult {
     51 public:
     52  NS_INLINE_DECL_THREADSAFE_REFCOUNTING(IPCServerCertVerificationResult,
     53                                        override)
     54 
     55  IPCServerCertVerificationResult(nsIEventTarget* aTarget,
     56                                  VerifySSLServerCertParent* aParent)
     57      : mTarget(aTarget), mParent(aParent) {}
     58 
     59  [[nodiscard]] nsresult Dispatch(
     60      nsTArray<nsTArray<uint8_t>>&& aBuiltChain,
     61      nsTArray<nsTArray<uint8_t>>&& aPeerCertChain,
     62      uint16_t aCertificateTransparencyStatus, EVStatus aEVStatus,
     63      bool aSucceeded, PRErrorCode aFinalError,
     64      nsITransportSecurityInfo::OverridableErrorCategory
     65          aOverridableErrorCategory,
     66      bool aIsBuiltCertChainRootBuiltInRoot, uint32_t aProviderFlags,
     67      bool aMadeOCSPRequests) override;
     68 
     69 private:
     70  ~IPCServerCertVerificationResult() = default;
     71 
     72  nsCOMPtr<nsIEventTarget> mTarget;
     73  RefPtr<VerifySSLServerCertParent> mParent;
     74 };
     75 
     76 nsresult IPCServerCertVerificationResult::Dispatch(
     77    nsTArray<nsTArray<uint8_t>>&& aBuiltChain,
     78    nsTArray<nsTArray<uint8_t>>&& aPeerCertChain,
     79    uint16_t aCertificateTransparencyStatus, EVStatus aEVStatus,
     80    bool aSucceeded, PRErrorCode aFinalError,
     81    nsITransportSecurityInfo::OverridableErrorCategory
     82        aOverridableErrorCategory,
     83    bool aIsBuiltCertChainRootBuiltInRoot, uint32_t aProviderFlags,
     84    bool aMadeOCSPRequests) {
     85  nsTArray<ByteArray> builtCertChain;
     86  if (aSucceeded) {
     87    for (auto& cert : aBuiltChain) {
     88      builtCertChain.AppendElement(ByteArray(cert));
     89    }
     90  }
     91 
     92  nsresult rv = mTarget->Dispatch(
     93      NS_NewRunnableFunction(
     94          "psm::VerifySSLServerCertParent::OnVerifiedSSLServerCert",
     95          [parent(mParent), builtCertChain{std::move(builtCertChain)},
     96           aCertificateTransparencyStatus, aEVStatus, aSucceeded, aFinalError,
     97           aOverridableErrorCategory, aIsBuiltCertChainRootBuiltInRoot,
     98           aMadeOCSPRequests]() {
     99            parent->OnVerifiedSSLServerCert(
    100                builtCertChain, aCertificateTransparencyStatus, aEVStatus,
    101                aSucceeded, aFinalError, aOverridableErrorCategory,
    102                aIsBuiltCertChainRootBuiltInRoot, aMadeOCSPRequests);
    103          }),
    104      NS_DISPATCH_NORMAL);
    105  MOZ_DIAGNOSTIC_ASSERT(NS_SUCCEEDED(rv));
    106  return rv;
    107 }
    108 
    109 }  // anonymous namespace
    110 
    111 bool VerifySSLServerCertParent::Dispatch(
    112    nsTArray<ByteArray>&& aPeerCertChain, const nsACString& aHostName,
    113    const int32_t& aPort, const OriginAttributes& aOriginAttributes,
    114    const Maybe<ByteArray>& aStapledOCSPResponse,
    115    const Maybe<ByteArray>& aSctsFromTLSExtension,
    116    const Maybe<DelegatedCredentialInfoArg>& aDcInfo,
    117    const uint32_t& aProviderFlags, const uint32_t& aCertVerifierFlags) {
    118  MOZ_LOG(gPIPNSSLog, LogLevel::Debug, ("VerifySSLServerCertParent::Dispatch"));
    119 
    120  mBackgroundThread = GetCurrentSerialEventTarget();
    121 
    122  nsTArray<nsTArray<uint8_t>> peerCertBytes;
    123  for (auto& certBytes : aPeerCertChain) {
    124    nsTArray<uint8_t> bytes;
    125    peerCertBytes.AppendElement(std::move(certBytes.data()));
    126  }
    127 
    128  Maybe<nsTArray<uint8_t>> stapledOCSPResponse;
    129  if (aStapledOCSPResponse) {
    130    stapledOCSPResponse.emplace(aStapledOCSPResponse->data().Clone());
    131  }
    132 
    133  Maybe<nsTArray<uint8_t>> sctsFromTLSExtension;
    134  if (aSctsFromTLSExtension) {
    135    sctsFromTLSExtension.emplace(aSctsFromTLSExtension->data().Clone());
    136  }
    137 
    138  Maybe<DelegatedCredentialInfo> dcInfo;
    139  if (aDcInfo) {
    140    dcInfo.emplace();
    141    dcInfo->scheme = static_cast<SSLSignatureScheme>(aDcInfo->scheme());
    142    dcInfo->authKeyBits = aDcInfo->authKeyBits();
    143  }
    144 
    145  RefPtr<IPCServerCertVerificationResult> resultTask =
    146      new IPCServerCertVerificationResult(mBackgroundThread, this);
    147  SECStatus status = SSLServerCertVerificationJob::Dispatch(
    148      0, nullptr, std::move(peerCertBytes), aHostName, aPort, aOriginAttributes,
    149      stapledOCSPResponse, sctsFromTLSExtension, dcInfo, aProviderFlags, Now(),
    150      aCertVerifierFlags, resultTask);
    151 
    152  if (status != SECWouldBlock) {
    153    MOZ_LOG(gPIPNSSLog, LogLevel::Debug,
    154            ("VerifySSLServerCertParent::Dispatch - dispatch failed"));
    155    return false;
    156  }
    157 
    158  return true;
    159 }
    160 
    161 void VerifySSLServerCertParent::ActorDestroy(ActorDestroyReason aWhy) {}
    162 
    163 VerifySSLServerCertParent::~VerifySSLServerCertParent() = default;
    164 
    165 }  // namespace psm
    166 }  // namespace mozilla