2014-02-15 02:37:07 +04:00
|
|
|
/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
|
|
|
|
/* vim: set ts=8 sts=2 et sw=2 tw=80: */
|
|
|
|
/* This Source Code Form is subject to the terms of the Mozilla Public
|
|
|
|
* License, v. 2.0. If a copy of the MPL was not distributed with this
|
|
|
|
* file, You can obtain one at http://mozilla.org/MPL/2.0/. */
|
|
|
|
|
|
|
|
#ifdef MOZ_LOGGING
|
|
|
|
#define FORCE_PR_LOG 1
|
|
|
|
#endif
|
|
|
|
|
|
|
|
#include "AppTrustDomain.h"
|
|
|
|
#include "certdb.h"
|
2014-03-21 01:29:21 +04:00
|
|
|
#include "pkix/pkix.h"
|
2014-02-15 02:37:07 +04:00
|
|
|
#include "mozilla/ArrayUtils.h"
|
|
|
|
#include "nsIX509CertDB.h"
|
|
|
|
#include "prerror.h"
|
|
|
|
#include "secerr.h"
|
|
|
|
|
|
|
|
// Generated in Makefile.in
|
|
|
|
#include "marketplace-prod-public.inc"
|
|
|
|
#include "marketplace-prod-reviewers.inc"
|
|
|
|
#include "marketplace-dev-public.inc"
|
|
|
|
#include "marketplace-dev-reviewers.inc"
|
|
|
|
#include "xpcshell.inc"
|
|
|
|
|
2014-03-21 01:29:21 +04:00
|
|
|
using namespace mozilla::pkix;
|
2014-02-15 02:37:07 +04:00
|
|
|
|
|
|
|
#ifdef PR_LOGGING
|
|
|
|
extern PRLogModuleInfo* gPIPNSSLog;
|
|
|
|
#endif
|
|
|
|
|
|
|
|
namespace mozilla { namespace psm {
|
|
|
|
|
|
|
|
AppTrustDomain::AppTrustDomain(void* pinArg)
|
|
|
|
: mPinArg(pinArg)
|
|
|
|
{
|
|
|
|
}
|
|
|
|
|
|
|
|
SECStatus
|
|
|
|
AppTrustDomain::SetTrustedRoot(AppTrustedRoot trustedRoot)
|
|
|
|
{
|
|
|
|
SECItem trustedDER;
|
|
|
|
|
|
|
|
// Load the trusted certificate into the in-memory NSS database so that
|
|
|
|
// CERT_CreateSubjectCertList can find it.
|
|
|
|
|
|
|
|
switch (trustedRoot)
|
|
|
|
{
|
|
|
|
case nsIX509CertDB::AppMarketplaceProdPublicRoot:
|
|
|
|
trustedDER.data = const_cast<uint8_t*>(marketplaceProdPublicRoot);
|
|
|
|
trustedDER.len = mozilla::ArrayLength(marketplaceProdPublicRoot);
|
|
|
|
break;
|
|
|
|
|
|
|
|
case nsIX509CertDB::AppMarketplaceProdReviewersRoot:
|
|
|
|
trustedDER.data = const_cast<uint8_t*>(marketplaceProdReviewersRoot);
|
|
|
|
trustedDER.len = mozilla::ArrayLength(marketplaceProdReviewersRoot);
|
|
|
|
break;
|
|
|
|
|
|
|
|
case nsIX509CertDB::AppMarketplaceDevPublicRoot:
|
|
|
|
trustedDER.data = const_cast<uint8_t*>(marketplaceDevPublicRoot);
|
|
|
|
trustedDER.len = mozilla::ArrayLength(marketplaceDevPublicRoot);
|
|
|
|
break;
|
|
|
|
|
|
|
|
case nsIX509CertDB::AppMarketplaceDevReviewersRoot:
|
|
|
|
trustedDER.data = const_cast<uint8_t*>(marketplaceDevReviewersRoot);
|
|
|
|
trustedDER.len = mozilla::ArrayLength(marketplaceDevReviewersRoot);
|
|
|
|
break;
|
|
|
|
|
|
|
|
case nsIX509CertDB::AppXPCShellRoot:
|
|
|
|
trustedDER.data = const_cast<uint8_t*>(xpcshellRoot);
|
|
|
|
trustedDER.len = mozilla::ArrayLength(xpcshellRoot);
|
|
|
|
break;
|
|
|
|
|
|
|
|
default:
|
|
|
|
PR_SetError(SEC_ERROR_INVALID_ARGS, 0);
|
|
|
|
return SECFailure;
|
|
|
|
}
|
|
|
|
|
|
|
|
mTrustedRoot = CERT_NewTempCertificate(CERT_GetDefaultCertDB(),
|
|
|
|
&trustedDER, nullptr, false, true);
|
|
|
|
if (!mTrustedRoot) {
|
|
|
|
return SECFailure;
|
|
|
|
}
|
|
|
|
|
|
|
|
return SECSuccess;
|
|
|
|
}
|
|
|
|
|
|
|
|
SECStatus
|
2014-07-03 03:15:16 +04:00
|
|
|
AppTrustDomain::FindIssuer(const SECItem& encodedIssuerName,
|
|
|
|
IssuerChecker& checker, PRTime time)
|
|
|
|
|
2014-02-15 02:37:07 +04:00
|
|
|
{
|
|
|
|
MOZ_ASSERT(mTrustedRoot);
|
|
|
|
if (!mTrustedRoot) {
|
|
|
|
PR_SetError(PR_INVALID_STATE_ERROR, 0);
|
|
|
|
return SECFailure;
|
|
|
|
}
|
|
|
|
|
2014-07-03 03:15:16 +04:00
|
|
|
// TODO(bug 1035418): If/when mozilla::pkix relaxes the restriction that
|
|
|
|
// FindIssuer must only pass certificates with a matching subject name to
|
|
|
|
// checker.Check, we can stop using CERT_CreateSubjectCertList and instead
|
|
|
|
// use logic like this:
|
|
|
|
//
|
|
|
|
// 1. First, try the trusted trust anchor.
|
|
|
|
// 2. Secondly, iterate through the certificates that were stored in the CMS
|
|
|
|
// message, passing each one to checker.Check.
|
|
|
|
mozilla::pkix::ScopedCERTCertList
|
|
|
|
candidates(CERT_CreateSubjectCertList(nullptr, CERT_GetDefaultCertDB(),
|
|
|
|
&encodedIssuerName, time, true));
|
|
|
|
if (candidates) {
|
|
|
|
for (CERTCertListNode* n = CERT_LIST_HEAD(candidates);
|
|
|
|
!CERT_LIST_END(n, candidates); n = CERT_LIST_NEXT(n)) {
|
|
|
|
bool keepGoing;
|
|
|
|
SECStatus srv = checker.Check(n->cert->derCert, keepGoing);
|
|
|
|
if (srv != SECSuccess) {
|
|
|
|
return SECFailure;
|
|
|
|
}
|
|
|
|
if (!keepGoing) {
|
|
|
|
break;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2014-02-15 02:37:07 +04:00
|
|
|
return SECSuccess;
|
|
|
|
}
|
|
|
|
|
|
|
|
SECStatus
|
|
|
|
AppTrustDomain::GetCertTrust(EndEntityOrCA endEntityOrCA,
|
2014-05-16 05:59:52 +04:00
|
|
|
const CertPolicyId& policy,
|
2014-06-03 21:47:25 +04:00
|
|
|
const SECItem& candidateCertDER,
|
2014-02-15 02:37:07 +04:00
|
|
|
/*out*/ TrustLevel* trustLevel)
|
|
|
|
{
|
2014-05-16 05:59:52 +04:00
|
|
|
MOZ_ASSERT(policy.IsAnyPolicy());
|
2014-02-15 02:37:07 +04:00
|
|
|
MOZ_ASSERT(trustLevel);
|
|
|
|
MOZ_ASSERT(mTrustedRoot);
|
2014-06-03 21:47:25 +04:00
|
|
|
if (!trustLevel || !policy.IsAnyPolicy()) {
|
2014-02-15 02:37:07 +04:00
|
|
|
PR_SetError(SEC_ERROR_INVALID_ARGS, 0);
|
|
|
|
return SECFailure;
|
|
|
|
}
|
|
|
|
if (!mTrustedRoot) {
|
|
|
|
PR_SetError(PR_INVALID_STATE_ERROR, 0);
|
|
|
|
return SECFailure;
|
|
|
|
}
|
|
|
|
|
|
|
|
// Handle active distrust of the certificate.
|
2014-06-03 21:47:25 +04:00
|
|
|
|
|
|
|
// XXX: This would be cleaner and more efficient if we could get the trust
|
|
|
|
// information without constructing a CERTCertificate here, but NSS doesn't
|
|
|
|
// expose it in any other easy-to-use fashion.
|
|
|
|
ScopedCERTCertificate candidateCert(
|
|
|
|
CERT_NewTempCertificate(CERT_GetDefaultCertDB(),
|
|
|
|
const_cast<SECItem*>(&candidateCertDER), nullptr,
|
|
|
|
false, true));
|
|
|
|
if (!candidateCert) {
|
|
|
|
return SECFailure;
|
|
|
|
}
|
|
|
|
|
2014-02-15 02:37:07 +04:00
|
|
|
CERTCertTrust trust;
|
2014-06-03 21:47:25 +04:00
|
|
|
if (CERT_GetCertTrust(candidateCert.get(), &trust) == SECSuccess) {
|
2014-02-15 02:37:07 +04:00
|
|
|
PRUint32 flags = SEC_GET_TRUST_FLAGS(&trust, trustObjectSigning);
|
|
|
|
|
|
|
|
// For DISTRUST, we use the CERTDB_TRUSTED or CERTDB_TRUSTED_CA bit,
|
|
|
|
// because we can have active distrust for either type of cert. Note that
|
|
|
|
// CERTDB_TERMINAL_RECORD means "stop trying to inherit trust" so if the
|
|
|
|
// relevant trust bit isn't set then that means the cert must be considered
|
|
|
|
// distrusted.
|
2014-04-26 03:29:26 +04:00
|
|
|
PRUint32 relevantTrustBit = endEntityOrCA == EndEntityOrCA::MustBeCA
|
2014-02-15 02:37:07 +04:00
|
|
|
? CERTDB_TRUSTED_CA
|
|
|
|
: CERTDB_TRUSTED;
|
|
|
|
if (((flags & (relevantTrustBit | CERTDB_TERMINAL_RECORD)))
|
|
|
|
== CERTDB_TERMINAL_RECORD) {
|
2014-04-26 03:29:26 +04:00
|
|
|
*trustLevel = TrustLevel::ActivelyDistrusted;
|
2014-02-15 02:37:07 +04:00
|
|
|
return SECSuccess;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
// mTrustedRoot is the only trust anchor for this validation.
|
2014-06-03 21:47:25 +04:00
|
|
|
if (CERT_CompareCerts(mTrustedRoot.get(), candidateCert.get())) {
|
2014-04-26 03:29:26 +04:00
|
|
|
*trustLevel = TrustLevel::TrustAnchor;
|
2014-02-15 02:37:07 +04:00
|
|
|
return SECSuccess;
|
|
|
|
}
|
|
|
|
|
2014-04-26 03:29:26 +04:00
|
|
|
*trustLevel = TrustLevel::InheritsTrust;
|
2014-02-15 02:37:07 +04:00
|
|
|
return SECSuccess;
|
|
|
|
}
|
|
|
|
|
|
|
|
SECStatus
|
2014-07-04 03:59:42 +04:00
|
|
|
AppTrustDomain::VerifySignedData(const CERTSignedData& signedData,
|
2014-06-06 02:18:32 +04:00
|
|
|
const SECItem& subjectPublicKeyInfo)
|
2014-02-15 02:37:07 +04:00
|
|
|
{
|
2014-06-06 02:18:32 +04:00
|
|
|
return ::mozilla::pkix::VerifySignedData(signedData, subjectPublicKeyInfo,
|
|
|
|
mPinArg);
|
2014-02-15 02:37:07 +04:00
|
|
|
}
|
|
|
|
|
2014-02-17 05:35:40 +04:00
|
|
|
SECStatus
|
2014-06-20 21:10:51 +04:00
|
|
|
AppTrustDomain::CheckRevocation(EndEntityOrCA, const CertID&, PRTime time,
|
|
|
|
/*optional*/ const SECItem*,
|
2014-02-17 05:35:40 +04:00
|
|
|
/*optional*/ const SECItem*)
|
|
|
|
{
|
|
|
|
// We don't currently do revocation checking. If we need to distrust an Apps
|
|
|
|
// certificate, we will use the active distrust mechanism.
|
|
|
|
return SECSuccess;
|
|
|
|
}
|
|
|
|
|
2014-02-15 02:37:07 +04:00
|
|
|
} }
|