2014-01-21 10:10:33 +04:00
|
|
|
/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
|
|
|
|
/* vim: set ts=8 sts=2 et sw=2 tw=80: */
|
2012-10-27 11:11:35 +04:00
|
|
|
/* This Source Code Form is subject to the terms of the Mozilla Public
|
|
|
|
* License, v. 2.0. If a copy of the MPL was not distributed with this
|
|
|
|
* file, You can obtain one at http://mozilla.org/MPL/2.0/. */
|
|
|
|
|
|
|
|
#include "CertVerifier.h"
|
2014-01-23 05:13:19 +04:00
|
|
|
|
|
|
|
#include <stdint.h>
|
|
|
|
|
2014-01-27 07:36:28 +04:00
|
|
|
#include "ExtendedValidation.h"
|
2013-07-09 03:30:59 +04:00
|
|
|
#include "NSSCertDBTrustDomain.h"
|
2014-05-29 02:28:03 +04:00
|
|
|
#include "NSSErrorsService.h"
|
2014-02-06 02:49:10 +04:00
|
|
|
#include "PublicKeyPinningService.h"
|
2012-10-27 11:11:35 +04:00
|
|
|
#include "cert.h"
|
2014-02-06 02:49:10 +04:00
|
|
|
#include "pk11pub.h"
|
2014-05-29 02:28:03 +04:00
|
|
|
#include "pkix/pkix.h"
|
2014-01-20 02:05:40 +04:00
|
|
|
#include "prerror.h"
|
2014-05-29 02:28:03 +04:00
|
|
|
#include "secerr.h"
|
2013-07-09 03:30:59 +04:00
|
|
|
#include "sslerr.h"
|
2012-10-27 11:11:35 +04:00
|
|
|
|
2014-03-21 01:29:21 +04:00
|
|
|
// ScopedXXX in this file are mozilla::pkix::ScopedXXX, not
|
2014-01-23 05:13:19 +04:00
|
|
|
// mozilla::ScopedXXX.
|
2014-03-21 01:29:21 +04:00
|
|
|
using namespace mozilla::pkix;
|
2014-01-23 05:13:19 +04:00
|
|
|
using namespace mozilla::psm;
|
|
|
|
|
2014-02-06 10:11:26 +04:00
|
|
|
#ifdef PR_LOGGING
|
2014-02-17 05:35:40 +04:00
|
|
|
PRLogModuleInfo* gCertVerifierLog = nullptr;
|
2012-10-27 11:11:35 +04:00
|
|
|
#endif
|
|
|
|
|
|
|
|
namespace mozilla { namespace psm {
|
|
|
|
|
|
|
|
const CertVerifier::Flags CertVerifier::FLAG_LOCAL_ONLY = 1;
|
2014-01-25 01:57:35 +04:00
|
|
|
const CertVerifier::Flags CertVerifier::FLAG_MUST_BE_EV = 2;
|
2012-10-27 11:11:35 +04:00
|
|
|
|
2014-06-17 10:13:29 +04:00
|
|
|
CertVerifier::CertVerifier(ocsp_download_config odc,
|
2012-10-27 11:11:35 +04:00
|
|
|
ocsp_strict_config osc,
|
2014-02-06 02:49:10 +04:00
|
|
|
ocsp_get_config ogc,
|
|
|
|
pinning_enforcement_config pel)
|
2014-06-17 10:13:29 +04:00
|
|
|
: mOCSPDownloadEnabled(odc == ocsp_on)
|
2012-10-27 11:11:35 +04:00
|
|
|
, mOCSPStrict(osc == ocsp_strict)
|
2013-10-25 01:32:09 +04:00
|
|
|
, mOCSPGETEnabled(ogc == ocsp_get_enabled)
|
2014-02-06 02:49:10 +04:00
|
|
|
, mPinningEnforcementLevel(pel)
|
2012-10-27 11:11:35 +04:00
|
|
|
{
|
|
|
|
}
|
|
|
|
|
|
|
|
CertVerifier::~CertVerifier()
|
|
|
|
{
|
|
|
|
}
|
|
|
|
|
2013-07-11 10:47:09 +04:00
|
|
|
void
|
|
|
|
InitCertVerifierLog()
|
|
|
|
{
|
2014-02-06 10:11:26 +04:00
|
|
|
#ifdef PR_LOGGING
|
2013-07-11 10:47:09 +04:00
|
|
|
if (!gCertVerifierLog) {
|
|
|
|
gCertVerifierLog = PR_NewLogModule("certverifier");
|
|
|
|
}
|
|
|
|
#endif
|
|
|
|
}
|
|
|
|
|
2014-02-06 02:49:10 +04:00
|
|
|
SECStatus
|
|
|
|
IsCertBuiltInRoot(CERTCertificate* cert, bool& result) {
|
|
|
|
result = false;
|
|
|
|
ScopedPtr<PK11SlotList, PK11_FreeSlotList> slots;
|
|
|
|
slots = PK11_GetAllSlotsForCert(cert, nullptr);
|
|
|
|
if (!slots) {
|
|
|
|
if (PORT_GetError() == SEC_ERROR_NO_TOKEN) {
|
|
|
|
// no list
|
|
|
|
return SECSuccess;
|
|
|
|
}
|
|
|
|
return SECFailure;
|
|
|
|
}
|
|
|
|
for (PK11SlotListElement* le = slots->head; le; le = le->next) {
|
|
|
|
char* token = PK11_GetTokenName(le->slot);
|
|
|
|
PR_LOG(gCertVerifierLog, PR_LOG_DEBUG,
|
|
|
|
("BuiltInRoot? subject=%s token=%s",cert->subjectName, token));
|
|
|
|
if (strcmp("Builtin Object Token", token) == 0) {
|
|
|
|
result = true;
|
|
|
|
return SECSuccess;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
return SECSuccess;
|
|
|
|
}
|
|
|
|
|
|
|
|
struct ChainValidationCallbackState
|
|
|
|
{
|
|
|
|
const char* hostname;
|
|
|
|
const CertVerifier::pinning_enforcement_config pinningEnforcementLevel;
|
|
|
|
const SECCertificateUsage usage;
|
|
|
|
const PRTime time;
|
|
|
|
};
|
2014-01-25 02:13:25 +04:00
|
|
|
|
2014-02-06 02:49:14 +04:00
|
|
|
SECStatus chainValidationCallback(void* state, const CERTCertList* certList,
|
|
|
|
PRBool* chainOK)
|
|
|
|
{
|
2014-02-06 02:49:10 +04:00
|
|
|
ChainValidationCallbackState* callbackState =
|
|
|
|
reinterpret_cast<ChainValidationCallbackState*>(state);
|
|
|
|
|
2014-02-06 02:49:14 +04:00
|
|
|
*chainOK = PR_FALSE;
|
|
|
|
|
2014-02-06 02:49:10 +04:00
|
|
|
PR_LOG(gCertVerifierLog, PR_LOG_DEBUG,
|
|
|
|
("verifycert: Inside the Callback \n"));
|
2014-02-06 02:49:14 +04:00
|
|
|
|
|
|
|
// On sanity failure we fail closed.
|
|
|
|
if (!certList) {
|
2014-02-06 02:49:10 +04:00
|
|
|
PR_LOG(gCertVerifierLog, PR_LOG_DEBUG,
|
|
|
|
("verifycert: Short circuit, callback, sanity check failed \n"));
|
|
|
|
PR_SetError(PR_INVALID_STATE_ERROR, 0);
|
|
|
|
return SECFailure;
|
|
|
|
}
|
|
|
|
if (!callbackState) {
|
|
|
|
PR_LOG(gCertVerifierLog, PR_LOG_DEBUG,
|
|
|
|
("verifycert: Short circuit, callback, no state! \n"));
|
2014-02-06 02:49:14 +04:00
|
|
|
PR_SetError(PR_INVALID_STATE_ERROR, 0);
|
|
|
|
return SECFailure;
|
|
|
|
}
|
2014-02-06 02:49:10 +04:00
|
|
|
|
|
|
|
if (callbackState->usage != certificateUsageSSLServer ||
|
|
|
|
callbackState->pinningEnforcementLevel == CertVerifier::pinningDisabled) {
|
|
|
|
PR_LOG(gCertVerifierLog, PR_LOG_DEBUG,
|
|
|
|
("verifycert: Callback shortcut pel=%d \n",
|
|
|
|
callbackState->pinningEnforcementLevel));
|
|
|
|
*chainOK = PR_TRUE;
|
|
|
|
return SECSuccess;
|
|
|
|
}
|
|
|
|
|
|
|
|
for (CERTCertListNode* node = CERT_LIST_HEAD(certList);
|
|
|
|
!CERT_LIST_END(node, certList);
|
|
|
|
node = CERT_LIST_NEXT(node)) {
|
|
|
|
CERTCertificate* currentCert = node->cert;
|
|
|
|
if (CERT_LIST_END(CERT_LIST_NEXT(node), certList)) {
|
|
|
|
bool isBuiltInRoot = false;
|
|
|
|
SECStatus srv = IsCertBuiltInRoot(currentCert, isBuiltInRoot);
|
|
|
|
if (srv != SECSuccess) {
|
|
|
|
PR_LOG(gCertVerifierLog, PR_LOG_DEBUG, ("Is BuiltInRoot failure"));
|
|
|
|
return srv;
|
|
|
|
}
|
|
|
|
// If desired, the user can enable "allow user CA MITM mode", in which
|
|
|
|
// case key pinning is not enforced for certificates that chain to trust
|
|
|
|
// anchors that are not in Mozilla's root program
|
|
|
|
if (!isBuiltInRoot &&
|
|
|
|
(callbackState->pinningEnforcementLevel ==
|
|
|
|
CertVerifier::pinningAllowUserCAMITM)) {
|
|
|
|
*chainOK = PR_TRUE;
|
|
|
|
return SECSuccess;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2014-05-20 00:24:41 +04:00
|
|
|
bool enforceTestMode = (callbackState->pinningEnforcementLevel ==
|
|
|
|
CertVerifier::pinningEnforceTestMode);
|
2014-02-06 02:49:10 +04:00
|
|
|
*chainOK = PublicKeyPinningService::
|
2014-05-20 00:04:40 +04:00
|
|
|
ChainHasValidPins(certList, callbackState->hostname, callbackState->time,
|
|
|
|
enforceTestMode);
|
2014-02-06 02:49:10 +04:00
|
|
|
|
2014-02-06 02:49:14 +04:00
|
|
|
return SECSuccess;
|
|
|
|
}
|
|
|
|
|
2014-02-10 23:41:12 +04:00
|
|
|
static SECStatus
|
|
|
|
BuildCertChainForOneKeyUsage(TrustDomain& trustDomain, CERTCertificate* cert,
|
2014-06-19 11:13:20 +04:00
|
|
|
PRTime time, KeyUsage ku1, KeyUsage ku2,
|
|
|
|
KeyUsage ku3, KeyPurposeId eku,
|
2014-05-16 05:59:52 +04:00
|
|
|
const CertPolicyId& requiredPolicy,
|
2014-02-17 05:35:40 +04:00
|
|
|
const SECItem* stapledOCSPResponse,
|
2014-02-10 23:41:12 +04:00
|
|
|
ScopedCERTCertList& builtChain)
|
|
|
|
{
|
2014-04-26 03:29:26 +04:00
|
|
|
SECStatus rv = BuildCertChain(trustDomain, cert, time,
|
|
|
|
EndEntityOrCA::MustBeEndEntity, ku1,
|
|
|
|
eku, requiredPolicy,
|
|
|
|
stapledOCSPResponse, builtChain);
|
2014-06-19 11:13:20 +04:00
|
|
|
if (rv != SECSuccess && PR_GetError() == SEC_ERROR_INADEQUATE_KEY_USAGE) {
|
2014-04-26 03:29:26 +04:00
|
|
|
rv = BuildCertChain(trustDomain, cert, time,
|
|
|
|
EndEntityOrCA::MustBeEndEntity, ku2,
|
|
|
|
eku, requiredPolicy,
|
|
|
|
stapledOCSPResponse, builtChain);
|
2014-06-19 11:13:20 +04:00
|
|
|
if (rv != SECSuccess && PR_GetError() == SEC_ERROR_INADEQUATE_KEY_USAGE) {
|
2014-04-26 03:29:26 +04:00
|
|
|
rv = BuildCertChain(trustDomain, cert, time,
|
|
|
|
EndEntityOrCA::MustBeEndEntity, ku3,
|
|
|
|
eku, requiredPolicy,
|
|
|
|
stapledOCSPResponse, builtChain);
|
2014-02-10 23:41:12 +04:00
|
|
|
if (rv != SECSuccess) {
|
|
|
|
PR_SetError(SEC_ERROR_INADEQUATE_KEY_USAGE, 0);
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
return rv;
|
|
|
|
}
|
|
|
|
|
|
|
|
SECStatus
|
2014-06-17 10:13:29 +04:00
|
|
|
CertVerifier::VerifyCert(CERTCertificate* cert, SECCertificateUsage usage,
|
|
|
|
PRTime time, void* pinArg, const char* hostname,
|
|
|
|
const Flags flags,
|
|
|
|
/*optional*/ const SECItem* stapledOCSPResponse,
|
|
|
|
/*optional out*/ mozilla::pkix::ScopedCERTCertList* validationChain,
|
|
|
|
/*optional out*/ SECOidTag* evOidPolicy)
|
2014-02-10 23:41:12 +04:00
|
|
|
{
|
2014-06-17 10:13:29 +04:00
|
|
|
PR_LOG(gCertVerifierLog, PR_LOG_DEBUG, ("Top of VerifyCert\n"));
|
2014-02-24 10:15:53 +04:00
|
|
|
|
|
|
|
PR_ASSERT(cert);
|
|
|
|
PR_ASSERT(usage == certificateUsageSSLServer || !(flags & FLAG_MUST_BE_EV));
|
|
|
|
|
|
|
|
if (validationChain) {
|
|
|
|
*validationChain = nullptr;
|
|
|
|
}
|
|
|
|
if (evOidPolicy) {
|
|
|
|
*evOidPolicy = SEC_OID_UNKNOWN;
|
|
|
|
}
|
|
|
|
|
|
|
|
if (!cert ||
|
|
|
|
(usage != certificateUsageSSLServer && (flags & FLAG_MUST_BE_EV))) {
|
|
|
|
PR_SetError(SEC_ERROR_INVALID_ARGS, 0);
|
|
|
|
return SECFailure;
|
|
|
|
}
|
|
|
|
|
2014-06-17 10:13:29 +04:00
|
|
|
ChainValidationCallbackState callbackState = {
|
|
|
|
hostname, mPinningEnforcementLevel, usage, time
|
|
|
|
};
|
2014-02-06 02:49:10 +04:00
|
|
|
CERTChainVerifyCallback callbackContainer;
|
|
|
|
callbackContainer.isChainValid = chainValidationCallback;
|
2014-06-17 10:13:29 +04:00
|
|
|
callbackContainer.isChainValidArg = &callbackState;
|
2014-02-06 02:49:10 +04:00
|
|
|
|
2014-02-24 10:15:53 +04:00
|
|
|
NSSCertDBTrustDomain::OCSPFetching ocspFetching
|
|
|
|
= !mOCSPDownloadEnabled ||
|
|
|
|
(flags & FLAG_LOCAL_ONLY) ? NSSCertDBTrustDomain::NeverFetchOCSP
|
|
|
|
: !mOCSPStrict ? NSSCertDBTrustDomain::FetchOCSPForDVSoftFail
|
|
|
|
: NSSCertDBTrustDomain::FetchOCSPForDVHardFail;
|
|
|
|
|
2014-05-22 02:42:21 +04:00
|
|
|
ocsp_get_config ocspGETConfig = mOCSPGETEnabled ? ocsp_get_enabled
|
|
|
|
: ocsp_get_disabled;
|
2014-02-10 23:41:12 +04:00
|
|
|
|
2014-05-22 02:42:21 +04:00
|
|
|
SECStatus rv;
|
2014-02-10 23:41:12 +04:00
|
|
|
|
2014-03-21 01:29:21 +04:00
|
|
|
mozilla::pkix::ScopedCERTCertList builtChain;
|
2014-02-10 23:41:12 +04:00
|
|
|
switch (usage) {
|
|
|
|
case certificateUsageSSLClient: {
|
|
|
|
// XXX: We don't really have a trust bit for SSL client authentication so
|
|
|
|
// just use trustEmail as it is the closest alternative.
|
2014-03-13 00:08:48 +04:00
|
|
|
NSSCertDBTrustDomain trustDomain(trustEmail, ocspFetching, mOCSPCache,
|
2014-05-22 02:42:21 +04:00
|
|
|
pinArg, ocspGETConfig);
|
2014-04-26 03:29:26 +04:00
|
|
|
rv = BuildCertChain(trustDomain, cert, time,
|
2014-06-19 11:13:20 +04:00
|
|
|
EndEntityOrCA::MustBeEndEntity,
|
|
|
|
KeyUsage::digitalSignature,
|
2014-05-14 12:02:34 +04:00
|
|
|
KeyPurposeId::id_kp_clientAuth,
|
2014-05-16 05:59:52 +04:00
|
|
|
CertPolicyId::anyPolicy, stapledOCSPResponse,
|
2014-05-14 12:02:34 +04:00
|
|
|
builtChain);
|
2014-02-10 23:41:12 +04:00
|
|
|
break;
|
|
|
|
}
|
|
|
|
|
|
|
|
case certificateUsageSSLServer: {
|
|
|
|
// TODO: When verifying a certificate in an SSL handshake, we should
|
|
|
|
// restrict the acceptable key usage based on the key exchange method
|
|
|
|
// chosen by the server.
|
2014-02-24 10:15:53 +04:00
|
|
|
|
|
|
|
#ifndef MOZ_NO_EV_CERTS
|
|
|
|
// Try to validate for EV first.
|
2014-05-16 05:59:52 +04:00
|
|
|
CertPolicyId evPolicy;
|
|
|
|
SECOidTag evPolicyOidTag;
|
|
|
|
rv = GetFirstEVPolicy(cert, evPolicy, evPolicyOidTag);
|
|
|
|
if (rv == SECSuccess) {
|
2014-02-24 10:15:53 +04:00
|
|
|
NSSCertDBTrustDomain
|
|
|
|
trustDomain(trustSSL,
|
|
|
|
ocspFetching == NSSCertDBTrustDomain::NeverFetchOCSP
|
|
|
|
? NSSCertDBTrustDomain::LocalOnlyOCSPForEV
|
|
|
|
: NSSCertDBTrustDomain::FetchOCSPForEV,
|
2014-05-22 02:42:21 +04:00
|
|
|
mOCSPCache, pinArg, ocspGETConfig, &callbackContainer);
|
2014-02-24 10:15:53 +04:00
|
|
|
rv = BuildCertChainForOneKeyUsage(trustDomain, cert, time,
|
2014-06-19 11:13:20 +04:00
|
|
|
KeyUsage::digitalSignature,// (EC)DHE
|
|
|
|
KeyUsage::keyEncipherment, // RSA
|
|
|
|
KeyUsage::keyAgreement, // (EC)DH
|
2014-05-14 12:02:34 +04:00
|
|
|
KeyPurposeId::id_kp_serverAuth,
|
2014-02-24 10:15:53 +04:00
|
|
|
evPolicy, stapledOCSPResponse,
|
|
|
|
builtChain);
|
|
|
|
if (rv == SECSuccess) {
|
|
|
|
if (evOidPolicy) {
|
2014-05-16 05:59:52 +04:00
|
|
|
*evOidPolicy = evPolicyOidTag;
|
2014-02-24 10:15:53 +04:00
|
|
|
}
|
|
|
|
break;
|
|
|
|
}
|
|
|
|
builtChain = nullptr; // clear built chain, just in case.
|
|
|
|
}
|
|
|
|
#endif
|
|
|
|
|
|
|
|
if (flags & FLAG_MUST_BE_EV) {
|
|
|
|
PR_SetError(SEC_ERROR_POLICY_VALIDATION_FAILED, 0);
|
|
|
|
rv = SECFailure;
|
|
|
|
break;
|
|
|
|
}
|
|
|
|
|
|
|
|
// Now try non-EV.
|
2014-03-13 00:08:48 +04:00
|
|
|
NSSCertDBTrustDomain trustDomain(trustSSL, ocspFetching, mOCSPCache,
|
2014-05-22 02:42:21 +04:00
|
|
|
pinArg, ocspGETConfig,
|
|
|
|
&callbackContainer);
|
2014-02-10 23:41:12 +04:00
|
|
|
rv = BuildCertChainForOneKeyUsage(trustDomain, cert, time,
|
2014-06-19 11:13:20 +04:00
|
|
|
KeyUsage::digitalSignature, // (EC)DHE
|
|
|
|
KeyUsage::keyEncipherment, // RSA
|
|
|
|
KeyUsage::keyAgreement, // (EC)DH
|
2014-05-14 12:02:34 +04:00
|
|
|
KeyPurposeId::id_kp_serverAuth,
|
2014-05-16 05:59:52 +04:00
|
|
|
CertPolicyId::anyPolicy,
|
2014-02-17 05:35:40 +04:00
|
|
|
stapledOCSPResponse, builtChain);
|
2014-02-10 23:41:12 +04:00
|
|
|
break;
|
|
|
|
}
|
|
|
|
|
|
|
|
case certificateUsageSSLCA: {
|
2014-03-13 00:08:48 +04:00
|
|
|
NSSCertDBTrustDomain trustDomain(trustSSL, ocspFetching, mOCSPCache,
|
2014-05-22 02:42:21 +04:00
|
|
|
pinArg, ocspGETConfig);
|
2014-04-26 03:29:26 +04:00
|
|
|
rv = BuildCertChain(trustDomain, cert, time, EndEntityOrCA::MustBeCA,
|
2014-06-19 11:13:20 +04:00
|
|
|
KeyUsage::keyCertSign,
|
|
|
|
KeyPurposeId::id_kp_serverAuth,
|
2014-05-16 05:59:52 +04:00
|
|
|
CertPolicyId::anyPolicy,
|
2014-02-17 05:35:40 +04:00
|
|
|
stapledOCSPResponse, builtChain);
|
2014-02-10 23:41:12 +04:00
|
|
|
break;
|
|
|
|
}
|
|
|
|
|
|
|
|
case certificateUsageEmailSigner: {
|
2014-03-13 00:08:48 +04:00
|
|
|
NSSCertDBTrustDomain trustDomain(trustEmail, ocspFetching, mOCSPCache,
|
2014-05-22 02:42:21 +04:00
|
|
|
pinArg, ocspGETConfig);
|
2014-04-26 03:29:26 +04:00
|
|
|
rv = BuildCertChain(trustDomain, cert, time,
|
2014-06-19 11:13:20 +04:00
|
|
|
EndEntityOrCA::MustBeEndEntity,
|
|
|
|
KeyUsage::digitalSignature,
|
2014-05-16 05:59:52 +04:00
|
|
|
KeyPurposeId::id_kp_emailProtection,
|
|
|
|
CertPolicyId::anyPolicy,
|
2014-02-17 05:35:40 +04:00
|
|
|
stapledOCSPResponse, builtChain);
|
2014-02-10 23:41:12 +04:00
|
|
|
break;
|
|
|
|
}
|
|
|
|
|
|
|
|
case certificateUsageEmailRecipient: {
|
|
|
|
// TODO: The higher level S/MIME processing should pass in which key
|
|
|
|
// usage it is trying to verify for, and base its algorithm choices
|
|
|
|
// based on the result of the verification(s).
|
2014-03-13 00:08:48 +04:00
|
|
|
NSSCertDBTrustDomain trustDomain(trustEmail, ocspFetching, mOCSPCache,
|
2014-05-22 02:42:21 +04:00
|
|
|
pinArg, ocspGETConfig);
|
2014-06-19 11:13:20 +04:00
|
|
|
rv = BuildCertChain(trustDomain, cert, time,
|
|
|
|
EndEntityOrCA::MustBeEndEntity,
|
|
|
|
KeyUsage::keyEncipherment, // RSA
|
|
|
|
KeyPurposeId::id_kp_emailProtection,
|
|
|
|
CertPolicyId::anyPolicy,
|
|
|
|
stapledOCSPResponse, builtChain);
|
|
|
|
if (rv != SECSuccess && PR_GetError() == SEC_ERROR_INADEQUATE_KEY_USAGE) {
|
|
|
|
rv = BuildCertChain(trustDomain, cert, time,
|
|
|
|
EndEntityOrCA::MustBeEndEntity,
|
|
|
|
KeyUsage::keyAgreement, // ECDH/DH
|
|
|
|
KeyPurposeId::id_kp_emailProtection,
|
|
|
|
CertPolicyId::anyPolicy,
|
|
|
|
stapledOCSPResponse, builtChain);
|
|
|
|
}
|
2014-02-10 23:41:12 +04:00
|
|
|
break;
|
|
|
|
}
|
|
|
|
|
|
|
|
case certificateUsageObjectSigner: {
|
2014-02-24 10:15:53 +04:00
|
|
|
NSSCertDBTrustDomain trustDomain(trustObjectSigning, ocspFetching,
|
2014-05-22 02:42:21 +04:00
|
|
|
mOCSPCache, pinArg, ocspGETConfig);
|
2014-04-26 03:29:26 +04:00
|
|
|
rv = BuildCertChain(trustDomain, cert, time,
|
2014-06-19 11:13:20 +04:00
|
|
|
EndEntityOrCA::MustBeEndEntity,
|
|
|
|
KeyUsage::digitalSignature,
|
2014-05-16 05:59:52 +04:00
|
|
|
KeyPurposeId::id_kp_codeSigning,
|
|
|
|
CertPolicyId::anyPolicy,
|
2014-02-17 05:35:40 +04:00
|
|
|
stapledOCSPResponse, builtChain);
|
2014-02-10 23:41:12 +04:00
|
|
|
break;
|
|
|
|
}
|
|
|
|
|
|
|
|
case certificateUsageVerifyCA:
|
|
|
|
case certificateUsageStatusResponder: {
|
|
|
|
// XXX This is a pretty useless way to verify a certificate. It is used
|
|
|
|
// by the implementation of window.crypto.importCertificates and in the
|
|
|
|
// certificate viewer UI. Because we don't know what trust bit is
|
|
|
|
// interesting, we just try them all.
|
2014-03-21 01:29:21 +04:00
|
|
|
mozilla::pkix::EndEntityOrCA endEntityOrCA;
|
2014-06-19 11:13:20 +04:00
|
|
|
mozilla::pkix::KeyUsage keyUsage;
|
2014-05-14 12:02:34 +04:00
|
|
|
KeyPurposeId eku;
|
2014-02-10 23:41:12 +04:00
|
|
|
if (usage == certificateUsageVerifyCA) {
|
2014-04-26 03:29:26 +04:00
|
|
|
endEntityOrCA = EndEntityOrCA::MustBeCA;
|
2014-06-19 11:13:20 +04:00
|
|
|
keyUsage = KeyUsage::keyCertSign;
|
2014-05-14 12:02:34 +04:00
|
|
|
eku = KeyPurposeId::anyExtendedKeyUsage;
|
2014-02-10 23:41:12 +04:00
|
|
|
} else {
|
2014-04-26 03:29:26 +04:00
|
|
|
endEntityOrCA = EndEntityOrCA::MustBeEndEntity;
|
2014-06-19 11:13:20 +04:00
|
|
|
keyUsage = KeyUsage::digitalSignature;
|
2014-05-14 12:02:34 +04:00
|
|
|
eku = KeyPurposeId::id_kp_OCSPSigning;
|
2014-02-10 23:41:12 +04:00
|
|
|
}
|
|
|
|
|
2014-03-13 00:08:48 +04:00
|
|
|
NSSCertDBTrustDomain sslTrust(trustSSL, ocspFetching, mOCSPCache,
|
2014-05-22 02:42:21 +04:00
|
|
|
pinArg, ocspGETConfig);
|
2014-02-10 23:41:12 +04:00
|
|
|
rv = BuildCertChain(sslTrust, cert, time, endEntityOrCA,
|
2014-05-16 05:59:52 +04:00
|
|
|
keyUsage, eku, CertPolicyId::anyPolicy,
|
2014-02-25 00:37:45 +04:00
|
|
|
stapledOCSPResponse, builtChain);
|
2014-02-10 23:41:12 +04:00
|
|
|
if (rv == SECFailure && PR_GetError() == SEC_ERROR_UNKNOWN_ISSUER) {
|
2014-03-13 00:08:48 +04:00
|
|
|
NSSCertDBTrustDomain emailTrust(trustEmail, ocspFetching, mOCSPCache,
|
2014-05-22 02:42:21 +04:00
|
|
|
pinArg, ocspGETConfig);
|
2014-02-10 23:41:12 +04:00
|
|
|
rv = BuildCertChain(emailTrust, cert, time, endEntityOrCA, keyUsage,
|
2014-05-16 05:59:52 +04:00
|
|
|
eku, CertPolicyId::anyPolicy,
|
2014-02-25 00:37:45 +04:00
|
|
|
stapledOCSPResponse, builtChain);
|
2014-07-07 06:15:13 +04:00
|
|
|
if (rv == SECFailure && PR_GetError() == SEC_ERROR_UNKNOWN_ISSUER) {
|
2014-02-10 23:41:12 +04:00
|
|
|
NSSCertDBTrustDomain objectSigningTrust(trustObjectSigning,
|
2014-03-13 00:08:48 +04:00
|
|
|
ocspFetching, mOCSPCache,
|
2014-05-22 02:42:21 +04:00
|
|
|
pinArg, ocspGETConfig);
|
2014-02-10 23:41:12 +04:00
|
|
|
rv = BuildCertChain(objectSigningTrust, cert, time, endEntityOrCA,
|
2014-05-16 05:59:52 +04:00
|
|
|
keyUsage, eku, CertPolicyId::anyPolicy,
|
2014-02-25 00:37:45 +04:00
|
|
|
stapledOCSPResponse, builtChain);
|
2014-02-10 23:41:12 +04:00
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
break;
|
|
|
|
}
|
|
|
|
|
|
|
|
default:
|
|
|
|
PR_SetError(SEC_ERROR_INVALID_ARGS, 0);
|
|
|
|
return SECFailure;
|
|
|
|
}
|
|
|
|
|
|
|
|
if (validationChain && rv == SECSuccess) {
|
|
|
|
*validationChain = builtChain.release();
|
|
|
|
}
|
|
|
|
|
|
|
|
return rv;
|
|
|
|
}
|
|
|
|
|
2013-07-09 03:30:59 +04:00
|
|
|
SECStatus
|
|
|
|
CertVerifier::VerifySSLServerCert(CERTCertificate* peerCert,
|
2013-09-28 06:53:36 +04:00
|
|
|
/*optional*/ const SECItem* stapledOCSPResponse,
|
2013-07-09 03:30:59 +04:00
|
|
|
PRTime time,
|
|
|
|
/*optional*/ void* pinarg,
|
|
|
|
const char* hostname,
|
|
|
|
bool saveIntermediatesInPermanentDatabase,
|
2014-03-21 01:29:21 +04:00
|
|
|
/*optional out*/ mozilla::pkix::ScopedCERTCertList* certChainOut,
|
2013-07-09 03:30:59 +04:00
|
|
|
/*optional out*/ SECOidTag* evOidPolicy)
|
|
|
|
{
|
|
|
|
PR_ASSERT(peerCert);
|
|
|
|
// XXX: PR_ASSERT(pinarg)
|
|
|
|
PR_ASSERT(hostname);
|
|
|
|
PR_ASSERT(hostname[0]);
|
|
|
|
|
|
|
|
if (certChainOut) {
|
|
|
|
*certChainOut = nullptr;
|
|
|
|
}
|
|
|
|
if (evOidPolicy) {
|
|
|
|
*evOidPolicy = SEC_OID_UNKNOWN;
|
|
|
|
}
|
|
|
|
|
|
|
|
if (!hostname || !hostname[0]) {
|
|
|
|
PR_SetError(SSL_ERROR_BAD_CERT_DOMAIN, 0);
|
|
|
|
return SECFailure;
|
|
|
|
}
|
|
|
|
|
2014-02-23 07:08:06 +04:00
|
|
|
// CreateCertErrorRunnable assumes that CERT_VerifyCertName is only called
|
|
|
|
// if VerifyCert succeeded.
|
2013-07-09 03:30:59 +04:00
|
|
|
ScopedCERTCertList validationChain;
|
2014-02-06 02:49:10 +04:00
|
|
|
SECStatus rv = VerifyCert(peerCert, certificateUsageSSLServer, time, pinarg,
|
|
|
|
hostname, 0, stapledOCSPResponse, &validationChain,
|
2014-06-17 10:13:29 +04:00
|
|
|
evOidPolicy);
|
2013-07-09 03:30:59 +04:00
|
|
|
if (rv != SECSuccess) {
|
|
|
|
return rv;
|
|
|
|
}
|
|
|
|
|
|
|
|
rv = CERT_VerifyCertName(peerCert, hostname);
|
|
|
|
if (rv != SECSuccess) {
|
|
|
|
return rv;
|
|
|
|
}
|
|
|
|
|
|
|
|
if (saveIntermediatesInPermanentDatabase) {
|
|
|
|
SaveIntermediateCerts(validationChain);
|
|
|
|
}
|
|
|
|
|
|
|
|
if (certChainOut) {
|
|
|
|
*certChainOut = validationChain.release();
|
|
|
|
}
|
|
|
|
|
|
|
|
return SECSuccess;
|
|
|
|
}
|
|
|
|
|
2012-10-27 11:11:35 +04:00
|
|
|
} } // namespace mozilla::psm
|