2014-02-15 02:37:07 +04:00
|
|
|
/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
|
|
|
|
/* vim: set ts=8 sts=2 et sw=2 tw=80: */
|
|
|
|
/* This Source Code Form is subject to the terms of the Mozilla Public
|
|
|
|
* License, v. 2.0. If a copy of the MPL was not distributed with this
|
|
|
|
* file, You can obtain one at http://mozilla.org/MPL/2.0/. */
|
|
|
|
|
|
|
|
#include "AppTrustDomain.h"
|
2017-02-06 18:43:38 +03:00
|
|
|
|
2016-05-19 07:20:56 +03:00
|
|
|
#include "MainThreadUtils.h"
|
2014-02-15 02:37:07 +04:00
|
|
|
#include "certdb.h"
|
|
|
|
#include "mozilla/ArrayUtils.h"
|
2016-05-19 07:20:56 +03:00
|
|
|
#include "mozilla/Casting.h"
|
2015-10-08 12:08:45 +03:00
|
|
|
#include "mozilla/Preferences.h"
|
|
|
|
#include "nsComponentManagerUtils.h"
|
|
|
|
#include "nsIFile.h"
|
|
|
|
#include "nsIFileStreams.h"
|
2014-02-15 02:37:07 +04:00
|
|
|
#include "nsIX509CertDB.h"
|
2014-07-07 02:55:38 +04:00
|
|
|
#include "nsNSSCertificate.h"
|
2016-05-19 07:20:56 +03:00
|
|
|
#include "nsNetUtil.h"
|
2018-10-02 15:59:34 +03:00
|
|
|
#include "mozpkix/pkixnss.h"
|
2014-02-15 02:37:07 +04:00
|
|
|
#include "prerror.h"
|
|
|
|
|
2017-02-06 18:43:38 +03:00
|
|
|
// Generated by gen_cert_header.py, which gets called by the build system.
|
2014-02-15 02:37:07 +04:00
|
|
|
#include "xpcshell.inc"
|
2015-03-31 21:32:40 +03:00
|
|
|
// Add-on signing Certificates
|
|
|
|
#include "addons-public.inc"
|
|
|
|
#include "addons-stage.inc"
|
2015-09-07 10:28:21 +03:00
|
|
|
// Privileged Package Certificates
|
|
|
|
#include "privileged-package-root.inc"
|
2014-02-15 02:37:07 +04:00
|
|
|
|
2014-03-21 01:29:21 +04:00
|
|
|
using namespace mozilla::pkix;
|
2014-02-15 02:37:07 +04:00
|
|
|
|
2016-01-28 21:36:00 +03:00
|
|
|
extern mozilla::LazyLogModule gPIPNSSLog;
|
2014-02-15 02:37:07 +04:00
|
|
|
|
2015-10-22 12:09:44 +03:00
|
|
|
static char kDevImportedDER[] = "network.http.signed-packages.developer-root";
|
2014-10-18 17:18:00 +04:00
|
|
|
|
2014-02-15 02:37:07 +04:00
|
|
|
namespace mozilla {
|
|
|
|
namespace psm {
|
|
|
|
|
2015-10-08 12:08:45 +03:00
|
|
|
StaticMutex AppTrustDomain::sMutex;
|
2015-12-06 16:06:03 +03:00
|
|
|
UniquePtr<unsigned char[]> AppTrustDomain::sDevImportedDERData;
|
2015-10-08 12:08:45 +03:00
|
|
|
unsigned int AppTrustDomain::sDevImportedDERLen = 0;
|
|
|
|
|
2016-05-06 00:56:36 +03:00
|
|
|
AppTrustDomain::AppTrustDomain(UniqueCERTCertList& certChain, void* pinArg)
|
2014-07-07 02:55:38 +04:00
|
|
|
: mCertChain(certChain), mPinArg(pinArg) {}
|
2014-02-15 02:37:07 +04:00
|
|
|
|
|
|
|
nsresult AppTrustDomain::SetTrustedRoot(AppTrustedRoot trustedRoot) {
|
|
|
|
SECItem trustedDER;
|
|
|
|
|
|
|
|
// Load the trusted certificate into the in-memory NSS database so that
|
|
|
|
// CERT_CreateSubjectCertList can find it.
|
|
|
|
|
|
|
|
switch (trustedRoot) {
|
|
|
|
case nsIX509CertDB::AppXPCShellRoot:
|
|
|
|
trustedDER.data = const_cast<uint8_t*>(xpcshellRoot);
|
|
|
|
trustedDER.len = mozilla::ArrayLength(xpcshellRoot);
|
|
|
|
break;
|
|
|
|
|
2015-03-31 21:32:40 +03:00
|
|
|
case nsIX509CertDB::AddonsPublicRoot:
|
|
|
|
trustedDER.data = const_cast<uint8_t*>(addonsPublicRoot);
|
|
|
|
trustedDER.len = mozilla::ArrayLength(addonsPublicRoot);
|
|
|
|
break;
|
|
|
|
|
|
|
|
case nsIX509CertDB::AddonsStageRoot:
|
|
|
|
trustedDER.data = const_cast<uint8_t*>(addonsStageRoot);
|
|
|
|
trustedDER.len = mozilla::ArrayLength(addonsStageRoot);
|
|
|
|
break;
|
|
|
|
|
2015-09-07 10:28:21 +03:00
|
|
|
case nsIX509CertDB::PrivilegedPackageRoot:
|
|
|
|
trustedDER.data = const_cast<uint8_t*>(privilegedPackageRoot);
|
|
|
|
trustedDER.len = mozilla::ArrayLength(privilegedPackageRoot);
|
|
|
|
break;
|
|
|
|
|
2015-10-08 12:08:45 +03:00
|
|
|
case nsIX509CertDB::DeveloperImportedRoot: {
|
|
|
|
StaticMutexAutoLock lock(sMutex);
|
|
|
|
if (!sDevImportedDERData) {
|
|
|
|
MOZ_ASSERT(!NS_IsMainThread());
|
|
|
|
nsCOMPtr<nsIFile> file(do_CreateInstance("@mozilla.org/file/local;1"));
|
|
|
|
if (!file) {
|
2016-12-14 15:10:25 +03:00
|
|
|
return NS_ERROR_FAILURE;
|
2015-10-08 12:08:45 +03:00
|
|
|
}
|
2017-07-31 07:28:48 +03:00
|
|
|
nsAutoCString path;
|
|
|
|
Preferences::GetCString(kDevImportedDER, path);
|
|
|
|
nsresult rv = file->InitWithNativePath(path);
|
2015-10-08 12:08:45 +03:00
|
|
|
if (NS_FAILED(rv)) {
|
2016-12-14 15:10:25 +03:00
|
|
|
return rv;
|
2015-10-08 12:08:45 +03:00
|
|
|
}
|
|
|
|
|
|
|
|
nsCOMPtr<nsIInputStream> inputStream;
|
2016-12-14 15:10:25 +03:00
|
|
|
rv = NS_NewLocalFileInputStream(getter_AddRefs(inputStream), file, -1,
|
|
|
|
-1, nsIFileInputStream::CLOSE_ON_EOF);
|
|
|
|
if (NS_FAILED(rv)) {
|
|
|
|
return rv;
|
2015-10-08 12:08:45 +03:00
|
|
|
}
|
|
|
|
|
|
|
|
uint64_t length;
|
|
|
|
rv = inputStream->Available(&length);
|
|
|
|
if (NS_FAILED(rv)) {
|
2016-12-14 15:10:25 +03:00
|
|
|
return rv;
|
2015-10-08 12:08:45 +03:00
|
|
|
}
|
|
|
|
|
2015-12-06 16:06:03 +03:00
|
|
|
auto data = MakeUnique<char[]>(length);
|
|
|
|
rv = inputStream->Read(data.get(), length, &sDevImportedDERLen);
|
2015-10-08 12:08:45 +03:00
|
|
|
if (NS_FAILED(rv)) {
|
2016-12-14 15:10:25 +03:00
|
|
|
return rv;
|
2015-10-08 12:08:45 +03:00
|
|
|
}
|
|
|
|
|
|
|
|
MOZ_ASSERT(length == sDevImportedDERLen);
|
2016-05-19 07:20:56 +03:00
|
|
|
sDevImportedDERData.reset(
|
|
|
|
BitwiseCast<unsigned char*, char*>(data.release()));
|
2015-10-08 12:08:45 +03:00
|
|
|
}
|
|
|
|
|
2015-12-06 16:06:03 +03:00
|
|
|
trustedDER.data = sDevImportedDERData.get();
|
2015-10-08 12:08:45 +03:00
|
|
|
trustedDER.len = sDevImportedDERLen;
|
|
|
|
break;
|
|
|
|
}
|
|
|
|
|
2014-02-15 02:37:07 +04:00
|
|
|
default:
|
2016-12-14 15:10:25 +03:00
|
|
|
return NS_ERROR_INVALID_ARG;
|
2014-02-15 02:37:07 +04:00
|
|
|
}
|
|
|
|
|
2016-04-20 11:14:22 +03:00
|
|
|
mTrustedRoot.reset(CERT_NewTempCertificate(
|
|
|
|
CERT_GetDefaultCertDB(), &trustedDER, nullptr, false, true));
|
2014-02-15 02:37:07 +04:00
|
|
|
if (!mTrustedRoot) {
|
2016-12-14 15:10:25 +03:00
|
|
|
return mozilla::psm::GetXPCOMFromNSSError(PR_GetError());
|
2014-02-15 02:37:07 +04:00
|
|
|
}
|
|
|
|
|
2016-12-14 15:10:25 +03:00
|
|
|
return NS_OK;
|
2014-02-15 02:37:07 +04:00
|
|
|
}
|
|
|
|
|
2014-07-31 23:17:31 +04:00
|
|
|
Result AppTrustDomain::FindIssuer(Input encodedIssuerName,
|
|
|
|
IssuerChecker& checker, Time)
|
2014-07-03 03:15:16 +04:00
|
|
|
|
2014-02-15 02:37:07 +04:00
|
|
|
{
|
|
|
|
MOZ_ASSERT(mTrustedRoot);
|
|
|
|
if (!mTrustedRoot) {
|
2014-07-18 22:48:49 +04:00
|
|
|
return Result::FATAL_ERROR_INVALID_STATE;
|
2014-02-15 02:37:07 +04:00
|
|
|
}
|
|
|
|
|
2014-07-03 03:15:16 +04:00
|
|
|
// TODO(bug 1035418): If/when mozilla::pkix relaxes the restriction that
|
|
|
|
// FindIssuer must only pass certificates with a matching subject name to
|
|
|
|
// checker.Check, we can stop using CERT_CreateSubjectCertList and instead
|
|
|
|
// use logic like this:
|
|
|
|
//
|
|
|
|
// 1. First, try the trusted trust anchor.
|
|
|
|
// 2. Secondly, iterate through the certificates that were stored in the CMS
|
|
|
|
// message, passing each one to checker.Check.
|
2014-07-31 23:17:31 +04:00
|
|
|
SECItem encodedIssuerNameSECItem = UnsafeMapInputToSECItem(encodedIssuerName);
|
2014-07-03 03:15:16 +04:00
|
|
|
UniqueCERTCertList candidates(CERT_CreateSubjectCertList(
|
2014-08-02 10:16:21 +04:00
|
|
|
nullptr, CERT_GetDefaultCertDB(), &encodedIssuerNameSECItem, 0, false));
|
2014-07-03 03:15:16 +04:00
|
|
|
if (candidates) {
|
|
|
|
for (CERTCertListNode* n = CERT_LIST_HEAD(candidates);
|
|
|
|
!CERT_LIST_END(n, candidates); n = CERT_LIST_NEXT(n)) {
|
2014-07-31 23:17:31 +04:00
|
|
|
Input certDER;
|
2014-07-19 09:30:51 +04:00
|
|
|
Result rv = certDER.Init(n->cert->derCert.data, n->cert->derCert.len);
|
|
|
|
if (rv != Success) {
|
|
|
|
continue; // probably too big
|
|
|
|
}
|
|
|
|
|
2014-07-03 03:15:16 +04:00
|
|
|
bool keepGoing;
|
2014-07-19 09:30:51 +04:00
|
|
|
rv = checker.Check(certDER, nullptr /*additionalNameConstraints*/,
|
|
|
|
keepGoing);
|
2014-07-18 22:48:49 +04:00
|
|
|
if (rv != Success) {
|
|
|
|
return rv;
|
2014-07-03 03:15:16 +04:00
|
|
|
}
|
|
|
|
if (!keepGoing) {
|
|
|
|
break;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2014-07-18 22:48:49 +04:00
|
|
|
return Success;
|
2014-02-15 02:37:07 +04:00
|
|
|
}
|
|
|
|
|
|
|
|
Result AppTrustDomain::GetCertTrust(EndEntityOrCA endEntityOrCA,
|
2014-05-16 05:59:52 +04:00
|
|
|
const CertPolicyId& policy,
|
2014-07-31 23:17:31 +04:00
|
|
|
Input candidateCertDER,
|
2014-07-19 09:30:51 +04:00
|
|
|
/*out*/ TrustLevel& trustLevel) {
|
2014-05-16 05:59:52 +04:00
|
|
|
MOZ_ASSERT(policy.IsAnyPolicy());
|
2014-02-15 02:37:07 +04:00
|
|
|
MOZ_ASSERT(mTrustedRoot);
|
2014-07-20 22:06:26 +04:00
|
|
|
if (!policy.IsAnyPolicy()) {
|
2014-07-18 22:48:49 +04:00
|
|
|
return Result::FATAL_ERROR_INVALID_ARGS;
|
2014-02-15 02:37:07 +04:00
|
|
|
}
|
|
|
|
if (!mTrustedRoot) {
|
2014-07-18 22:48:49 +04:00
|
|
|
return Result::FATAL_ERROR_INVALID_STATE;
|
2014-02-15 02:37:07 +04:00
|
|
|
}
|
|
|
|
|
|
|
|
// Handle active distrust of the certificate.
|
2014-06-03 21:47:25 +04:00
|
|
|
|
|
|
|
// XXX: This would be cleaner and more efficient if we could get the trust
|
|
|
|
// information without constructing a CERTCertificate here, but NSS doesn't
|
|
|
|
// expose it in any other easy-to-use fashion.
|
2014-07-31 23:17:31 +04:00
|
|
|
SECItem candidateCertDERSECItem = UnsafeMapInputToSECItem(candidateCertDER);
|
2016-04-20 11:14:22 +03:00
|
|
|
UniqueCERTCertificate candidateCert(CERT_NewTempCertificate(
|
2014-07-19 09:30:51 +04:00
|
|
|
CERT_GetDefaultCertDB(), &candidateCertDERSECItem, nullptr, false, true));
|
2014-06-03 21:47:25 +04:00
|
|
|
if (!candidateCert) {
|
2014-07-18 22:48:49 +04:00
|
|
|
return MapPRErrorCodeToResult(PR_GetError());
|
2014-06-03 21:47:25 +04:00
|
|
|
}
|
|
|
|
|
2014-02-15 02:37:07 +04:00
|
|
|
CERTCertTrust trust;
|
2014-06-03 21:47:25 +04:00
|
|
|
if (CERT_GetCertTrust(candidateCert.get(), &trust) == SECSuccess) {
|
2014-08-08 16:39:07 +04:00
|
|
|
uint32_t flags = SEC_GET_TRUST_FLAGS(&trust, trustObjectSigning);
|
2014-02-15 02:37:07 +04:00
|
|
|
|
|
|
|
// For DISTRUST, we use the CERTDB_TRUSTED or CERTDB_TRUSTED_CA bit,
|
|
|
|
// because we can have active distrust for either type of cert. Note that
|
|
|
|
// CERTDB_TERMINAL_RECORD means "stop trying to inherit trust" so if the
|
|
|
|
// relevant trust bit isn't set then that means the cert must be considered
|
|
|
|
// distrusted.
|
2014-08-08 16:39:07 +04:00
|
|
|
uint32_t relevantTrustBit = endEntityOrCA == EndEntityOrCA::MustBeCA
|
2014-02-15 02:37:07 +04:00
|
|
|
? CERTDB_TRUSTED_CA
|
|
|
|
: CERTDB_TRUSTED;
|
|
|
|
if (((flags & (relevantTrustBit | CERTDB_TERMINAL_RECORD))) ==
|
|
|
|
CERTDB_TERMINAL_RECORD) {
|
2014-07-20 22:06:26 +04:00
|
|
|
trustLevel = TrustLevel::ActivelyDistrusted;
|
2014-07-18 22:48:49 +04:00
|
|
|
return Success;
|
2014-02-15 02:37:07 +04:00
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
// mTrustedRoot is the only trust anchor for this validation.
|
2014-06-03 21:47:25 +04:00
|
|
|
if (CERT_CompareCerts(mTrustedRoot.get(), candidateCert.get())) {
|
2014-07-20 22:06:26 +04:00
|
|
|
trustLevel = TrustLevel::TrustAnchor;
|
2014-07-18 22:48:49 +04:00
|
|
|
return Success;
|
2014-02-15 02:37:07 +04:00
|
|
|
}
|
|
|
|
|
2014-07-20 22:06:26 +04:00
|
|
|
trustLevel = TrustLevel::InheritsTrust;
|
2014-07-18 22:48:49 +04:00
|
|
|
return Success;
|
2014-02-15 02:37:07 +04:00
|
|
|
}
|
|
|
|
|
2015-02-07 23:14:31 +03:00
|
|
|
Result AppTrustDomain::DigestBuf(Input item, DigestAlgorithm digestAlg,
|
|
|
|
/*out*/ uint8_t* digestBuf,
|
2014-07-07 06:36:05 +04:00
|
|
|
size_t digestBufLen) {
|
2015-02-07 23:14:31 +03:00
|
|
|
return DigestBufNSS(item, digestAlg, digestBuf, digestBufLen);
|
2014-07-07 06:36:05 +04:00
|
|
|
}
|
|
|
|
|
2015-04-07 02:10:28 +03:00
|
|
|
Result AppTrustDomain::CheckRevocation(EndEntityOrCA, const CertID&, Time,
|
|
|
|
Duration,
|
2014-07-31 23:17:31 +04:00
|
|
|
/*optional*/ const Input*,
|
|
|
|
/*optional*/ const Input*) {
|
2014-02-17 05:35:40 +04:00
|
|
|
// We don't currently do revocation checking. If we need to distrust an Apps
|
|
|
|
// certificate, we will use the active distrust mechanism.
|
2014-07-18 22:48:49 +04:00
|
|
|
return Success;
|
2014-02-17 05:35:40 +04:00
|
|
|
}
|
|
|
|
|
2017-04-04 03:17:38 +03:00
|
|
|
Result AppTrustDomain::IsChainValid(const DERArray& certChain, Time time,
|
|
|
|
const CertPolicyId& requiredPolicy) {
|
|
|
|
MOZ_ASSERT(requiredPolicy.IsAnyPolicy());
|
2014-07-18 22:48:49 +04:00
|
|
|
SECStatus srv =
|
|
|
|
ConstructCERTCertListFromReversedDERArray(certChain, mCertChain);
|
|
|
|
if (srv != SECSuccess) {
|
|
|
|
return MapPRErrorCodeToResult(PR_GetError());
|
|
|
|
}
|
|
|
|
return Success;
|
2014-07-07 02:55:38 +04:00
|
|
|
}
|
|
|
|
|
2015-09-11 21:52:30 +03:00
|
|
|
Result AppTrustDomain::CheckSignatureDigestAlgorithm(DigestAlgorithm,
|
|
|
|
EndEntityOrCA, Time) {
|
2015-02-15 03:59:02 +03:00
|
|
|
// TODO: We should restrict signatures to SHA-256 or better.
|
|
|
|
return Success;
|
|
|
|
}
|
|
|
|
|
2015-02-03 03:17:08 +03:00
|
|
|
Result AppTrustDomain::CheckRSAPublicKeyModulusSizeInBits(
|
|
|
|
EndEntityOrCA /*endEntityOrCA*/, unsigned int modulusSizeInBits) {
|
2017-02-06 18:43:38 +03:00
|
|
|
if (modulusSizeInBits < 2048u) {
|
2015-02-03 03:17:08 +03:00
|
|
|
return Result::ERROR_INADEQUATE_KEY_SIZE;
|
|
|
|
}
|
|
|
|
return Success;
|
|
|
|
}
|
|
|
|
|
2015-02-07 23:14:31 +03:00
|
|
|
Result AppTrustDomain::VerifyRSAPKCS1SignedDigest(
|
|
|
|
const SignedDigest& signedDigest, Input subjectPublicKeyInfo) {
|
2015-02-15 03:59:02 +03:00
|
|
|
// TODO: We should restrict signatures to SHA-256 or better.
|
2015-02-07 23:14:31 +03:00
|
|
|
return VerifyRSAPKCS1SignedDigestNSS(signedDigest, subjectPublicKeyInfo,
|
|
|
|
mPinArg);
|
|
|
|
}
|
|
|
|
|
2015-02-03 03:17:08 +03:00
|
|
|
Result AppTrustDomain::CheckECDSACurveIsAcceptable(
|
|
|
|
EndEntityOrCA /*endEntityOrCA*/, NamedCurve curve) {
|
|
|
|
switch (curve) {
|
|
|
|
case NamedCurve::secp256r1: // fall through
|
|
|
|
case NamedCurve::secp384r1: // fall through
|
|
|
|
case NamedCurve::secp521r1:
|
|
|
|
return Success;
|
|
|
|
}
|
|
|
|
|
|
|
|
return Result::ERROR_UNSUPPORTED_ELLIPTIC_CURVE;
|
2014-07-16 03:49:00 +04:00
|
|
|
}
|
|
|
|
|
2015-02-07 23:14:31 +03:00
|
|
|
Result AppTrustDomain::VerifyECDSASignedDigest(const SignedDigest& signedDigest,
|
|
|
|
Input subjectPublicKeyInfo) {
|
|
|
|
return VerifyECDSASignedDigestNSS(signedDigest, subjectPublicKeyInfo,
|
|
|
|
mPinArg);
|
|
|
|
}
|
|
|
|
|
2015-06-29 23:19:00 +03:00
|
|
|
Result AppTrustDomain::CheckValidityIsAcceptable(
|
|
|
|
Time /*notBefore*/, Time /*notAfter*/, EndEntityOrCA /*endEntityOrCA*/,
|
|
|
|
KeyPurposeId /*keyPurpose*/) {
|
|
|
|
return Success;
|
|
|
|
}
|
|
|
|
|
2016-05-06 02:11:11 +03:00
|
|
|
Result AppTrustDomain::NetscapeStepUpMatchesServerAuth(Time /*notBefore*/,
|
|
|
|
/*out*/ bool& matches) {
|
|
|
|
matches = false;
|
|
|
|
return Success;
|
|
|
|
}
|
|
|
|
|
2016-06-15 11:11:00 +03:00
|
|
|
void AppTrustDomain::NoteAuxiliaryExtension(AuxiliaryExtension /*extension*/,
|
|
|
|
Input /*extensionData*/) {}
|
|
|
|
|
2014-07-07 02:55:38 +04:00
|
|
|
} // namespace psm
|
|
|
|
} // namespace mozilla
|