зеркало из https://github.com/mozilla/gecko-dev.git
Bug 1560354 - Transform some nss types into gecko types. r=keeler,dragana
Differential Revision: https://phabricator.services.mozilla.com/D35566 --HG-- extra : moz-landing-system : lando
This commit is contained in:
Kershaw Chang
Родитель
96fabacc4e
Коммит
5fad51dd02
|
|
@ -447,8 +447,8 @@ Result CertVerifier::VerifyCert(
|
|||
const char* hostname,
|
||||
/*out*/ UniqueCERTCertList& builtChain,
|
||||
/*optional*/ const Flags flags,
|
||||
/*optional*/ const SECItem* stapledOCSPResponseSECItem,
|
||||
/*optional*/ const SECItem* sctsFromTLSSECItem,
|
||||
/*optional*/ const Maybe<nsTArray<uint8_t>>& stapledOCSPResponseArg,
|
||||
/*optional*/ const Maybe<nsTArray<uint8_t>>& sctsFromTLS,
|
||||
/*optional*/ const OriginAttributes& originAttributes,
|
||||
/*optional out*/ SECOidTag* evOidPolicy,
|
||||
/*optional out*/ OCSPStaplingStatus* ocspStaplingStatus,
|
||||
|
|
@ -516,9 +516,9 @@ Result CertVerifier::VerifyCert(
|
|||
|
||||
Input stapledOCSPResponseInput;
|
||||
const Input* stapledOCSPResponse = nullptr;
|
||||
if (stapledOCSPResponseSECItem) {
|
||||
rv = stapledOCSPResponseInput.Init(stapledOCSPResponseSECItem->data,
|
||||
stapledOCSPResponseSECItem->len);
|
||||
if (stapledOCSPResponseArg) {
|
||||
rv = stapledOCSPResponseInput.Init(stapledOCSPResponseArg->Elements(),
|
||||
stapledOCSPResponseArg->Length());
|
||||
if (rv != Success) {
|
||||
// The stapled OCSP response was too big.
|
||||
return Result::ERROR_OCSP_MALFORMED_RESPONSE;
|
||||
|
|
@ -527,12 +527,11 @@ Result CertVerifier::VerifyCert(
|
|||
}
|
||||
|
||||
Input sctsFromTLSInput;
|
||||
if (sctsFromTLSSECItem) {
|
||||
rv = sctsFromTLSInput.Init(sctsFromTLSSECItem->data,
|
||||
sctsFromTLSSECItem->len);
|
||||
// Silently discard the error of the extension being too big,
|
||||
// do not fail the verification.
|
||||
MOZ_ASSERT(rv == Success);
|
||||
if (sctsFromTLS) {
|
||||
rv = sctsFromTLSInput.Init(sctsFromTLS->Elements(), sctsFromTLS->Length());
|
||||
if (rv != Success && sctsFromTLSInput.GetLength() != 0) {
|
||||
return Result::FATAL_ERROR_LIBRARY_FAILURE;
|
||||
}
|
||||
}
|
||||
|
||||
switch (usage) {
|
||||
|
|
@ -854,8 +853,8 @@ static bool CertIsSelfSigned(const UniqueCERTCertificate& cert, void* pinarg) {
|
|||
|
||||
Result CertVerifier::VerifySSLServerCert(
|
||||
const UniqueCERTCertificate& peerCert,
|
||||
/*optional*/ const SECItem* stapledOCSPResponse,
|
||||
/*optional*/ const SECItem* sctsFromTLS, Time time,
|
||||
/*optional*/ const Maybe<nsTArray<uint8_t>>& stapledOCSPResponse,
|
||||
/*optional*/ const Maybe<nsTArray<uint8_t>>& sctsFromTLS, Time time,
|
||||
/*optional*/ void* pinarg, const nsACString& hostname,
|
||||
/*out*/ UniqueCERTCertList& builtChain,
|
||||
/*optional*/ bool saveIntermediatesInPermanentDatabase,
|
||||
|
|
@ -924,8 +923,8 @@ Result CertVerifier::VerifySSLServerCert(
|
|||
Input stapledOCSPResponseInput;
|
||||
Input* responseInputPtr = nullptr;
|
||||
if (stapledOCSPResponse) {
|
||||
rv = stapledOCSPResponseInput.Init(stapledOCSPResponse->data,
|
||||
stapledOCSPResponse->len);
|
||||
rv = stapledOCSPResponseInput.Init(stapledOCSPResponse->Elements(),
|
||||
stapledOCSPResponse->Length());
|
||||
if (rv != Success) {
|
||||
// The stapled OCSP response was too big.
|
||||
return Result::ERROR_OCSP_MALFORMED_RESPONSE;
|
||||
|
|
|
|||
|
|
@ -146,8 +146,10 @@ class CertVerifier {
|
|||
CERTCertificate* cert, SECCertificateUsage usage,
|
||||
mozilla::pkix::Time time, void* pinArg, const char* hostname,
|
||||
/*out*/ UniqueCERTCertList& builtChain, Flags flags = 0,
|
||||
/*optional in*/ const SECItem* stapledOCSPResponse = nullptr,
|
||||
/*optional in*/ const SECItem* sctsFromTLS = nullptr,
|
||||
/*optional in*/ const Maybe<nsTArray<uint8_t>>& stapledOCSPResponseArg =
|
||||
Maybe<nsTArray<uint8_t>>(),
|
||||
/*optional in*/ const Maybe<nsTArray<uint8_t>>& sctsFromTLS =
|
||||
Maybe<nsTArray<uint8_t>>(),
|
||||
/*optional in*/ const OriginAttributes& originAttributes =
|
||||
OriginAttributes(),
|
||||
/*optional out*/ SECOidTag* evOidPolicy = nullptr,
|
||||
|
|
@ -159,8 +161,9 @@ class CertVerifier {
|
|||
|
||||
mozilla::pkix::Result VerifySSLServerCert(
|
||||
const UniqueCERTCertificate& peerCert,
|
||||
/*optional*/ const SECItem* stapledOCSPResponse,
|
||||
/*optional*/ const SECItem* sctsFromTLS, mozilla::pkix::Time time,
|
||||
/*optional*/ const Maybe<nsTArray<uint8_t>>& stapledOCSPResponse,
|
||||
/*optional*/ const Maybe<nsTArray<uint8_t>>& sctsFromTLS,
|
||||
mozilla::pkix::Time time,
|
||||
/*optional*/ void* pinarg, const nsACString& hostname,
|
||||
/*out*/ UniqueCERTCertList& builtChain,
|
||||
/*optional*/ bool saveIntermediatesInPermanentDatabase = false,
|
||||
|
|
|
|||
|
|
@ -731,20 +731,23 @@ class SSLServerCertVerificationJob : public Runnable {
|
|||
nsNSSSocketInfo* infoObject,
|
||||
const UniqueCERTCertificate& serverCert,
|
||||
const UniqueCERTCertList& peerCertChain,
|
||||
const SECItem* stapledOCSPResponse,
|
||||
const SECItem* sctsFromTLSExtension,
|
||||
Maybe<nsTArray<uint8_t>>& stapledOCSPResponse,
|
||||
Maybe<nsTArray<uint8_t>>& sctsFromTLSExtension,
|
||||
uint32_t providerFlags, Time time, PRTime prtime);
|
||||
|
||||
private:
|
||||
NS_DECL_NSIRUNNABLE
|
||||
|
||||
// Must be called only on the socket transport thread
|
||||
SSLServerCertVerificationJob(
|
||||
const RefPtr<SharedCertVerifier>& certVerifier, const void* fdForLogging,
|
||||
nsNSSSocketInfo* infoObject, const UniqueCERTCertificate& cert,
|
||||
UniqueCERTCertList peerCertChain, const SECItem* stapledOCSPResponse,
|
||||
const SECItem* sctsFromTLSExtension, uint32_t providerFlags, Time time,
|
||||
PRTime prtime);
|
||||
SSLServerCertVerificationJob(const RefPtr<SharedCertVerifier>& certVerifier,
|
||||
const void* fdForLogging,
|
||||
nsNSSSocketInfo* infoObject,
|
||||
const UniqueCERTCertificate& cert,
|
||||
UniqueCERTCertList peerCertChain,
|
||||
Maybe<nsTArray<uint8_t>>& stapledOCSPResponse,
|
||||
Maybe<nsTArray<uint8_t>>& sctsFromTLSExtension,
|
||||
uint32_t providerFlags, Time time,
|
||||
PRTime prtime);
|
||||
const RefPtr<SharedCertVerifier> mCertVerifier;
|
||||
const void* const mFdForLogging;
|
||||
const RefPtr<nsNSSSocketInfo> mInfoObject;
|
||||
|
|
@ -754,16 +757,17 @@ class SSLServerCertVerificationJob : public Runnable {
|
|||
const Time mTime;
|
||||
const PRTime mPRTime;
|
||||
const TimeStamp mJobStartTime;
|
||||
const UniqueSECItem mStapledOCSPResponse;
|
||||
const UniqueSECItem mSCTsFromTLSExtension;
|
||||
Maybe<nsTArray<uint8_t>> mStapledOCSPResponse;
|
||||
Maybe<nsTArray<uint8_t>> mSCTsFromTLSExtension;
|
||||
};
|
||||
|
||||
SSLServerCertVerificationJob::SSLServerCertVerificationJob(
|
||||
const RefPtr<SharedCertVerifier>& certVerifier, const void* fdForLogging,
|
||||
nsNSSSocketInfo* infoObject, const UniqueCERTCertificate& cert,
|
||||
UniqueCERTCertList peerCertChain, const SECItem* stapledOCSPResponse,
|
||||
const SECItem* sctsFromTLSExtension, uint32_t providerFlags, Time time,
|
||||
PRTime prtime)
|
||||
UniqueCERTCertList peerCertChain,
|
||||
Maybe<nsTArray<uint8_t>>& stapledOCSPResponse,
|
||||
Maybe<nsTArray<uint8_t>>& sctsFromTLSExtension, uint32_t providerFlags,
|
||||
Time time, PRTime prtime)
|
||||
: Runnable("psm::SSLServerCertVerificationJob"),
|
||||
mCertVerifier(certVerifier),
|
||||
mFdForLogging(fdForLogging),
|
||||
|
|
@ -774,8 +778,8 @@ SSLServerCertVerificationJob::SSLServerCertVerificationJob(
|
|||
mTime(time),
|
||||
mPRTime(prtime),
|
||||
mJobStartTime(TimeStamp::Now()),
|
||||
mStapledOCSPResponse(SECITEM_DupItem(stapledOCSPResponse)),
|
||||
mSCTsFromTLSExtension(SECITEM_DupItem(sctsFromTLSExtension)) {}
|
||||
mStapledOCSPResponse(std::move(stapledOCSPResponse)),
|
||||
mSCTsFromTLSExtension(std::move(sctsFromTLSExtension)) {}
|
||||
|
||||
// This function assumes that we will only use the SPDY connection coalescing
|
||||
// feature on connections where we have negotiated SPDY using NPN. If we ever
|
||||
|
|
@ -1271,8 +1275,8 @@ SECStatus AuthCertificate(CertVerifier& certVerifier,
|
|||
nsNSSSocketInfo* infoObject,
|
||||
const UniqueCERTCertificate& cert,
|
||||
UniqueCERTCertList& peerCertChain,
|
||||
const SECItem* stapledOCSPResponse,
|
||||
const SECItem* sctsFromTLSExtension,
|
||||
const Maybe<nsTArray<uint8_t>>& stapledOCSPResponse,
|
||||
const Maybe<nsTArray<uint8_t>>& sctsFromTLSExtension,
|
||||
uint32_t providerFlags, Time time) {
|
||||
MOZ_ASSERT(infoObject);
|
||||
MOZ_ASSERT(cert);
|
||||
|
|
@ -1375,9 +1379,10 @@ SECStatus AuthCertificate(CertVerifier& certVerifier,
|
|||
SECStatus SSLServerCertVerificationJob::Dispatch(
|
||||
const RefPtr<SharedCertVerifier>& certVerifier, const void* fdForLogging,
|
||||
nsNSSSocketInfo* infoObject, const UniqueCERTCertificate& serverCert,
|
||||
const UniqueCERTCertList& peerCertChain, const SECItem* stapledOCSPResponse,
|
||||
const SECItem* sctsFromTLSExtension, uint32_t providerFlags, Time time,
|
||||
PRTime prtime) {
|
||||
const UniqueCERTCertList& peerCertChain,
|
||||
Maybe<nsTArray<uint8_t>>& stapledOCSPResponse,
|
||||
Maybe<nsTArray<uint8_t>>& sctsFromTLSExtension, uint32_t providerFlags,
|
||||
Time time, PRTime prtime) {
|
||||
// Runs on the socket transport thread
|
||||
if (!certVerifier || !infoObject || !serverCert) {
|
||||
NS_ERROR("Invalid parameters for SSL server cert validation");
|
||||
|
|
@ -1439,10 +1444,9 @@ SSLServerCertVerificationJob::Run() {
|
|||
// Reset the error code here so we can detect if AuthCertificate fails to
|
||||
// set the error code if/when it fails.
|
||||
PR_SetError(0, 0);
|
||||
SECStatus rv =
|
||||
AuthCertificate(*mCertVerifier, mInfoObject, mCert, mPeerCertChain,
|
||||
mStapledOCSPResponse.get(), mSCTsFromTLSExtension.get(),
|
||||
mProviderFlags, mTime);
|
||||
SECStatus rv = AuthCertificate(*mCertVerifier, mInfoObject, mCert,
|
||||
mPeerCertChain, mStapledOCSPResponse,
|
||||
mSCTsFromTLSExtension, mProviderFlags, mTime);
|
||||
MOZ_ASSERT((mPeerCertChain && rv == SECSuccess) ||
|
||||
(!mPeerCertChain && rv != SECSuccess),
|
||||
"AuthCertificate() should take ownership of chain on failure");
|
||||
|
|
@ -1586,18 +1590,21 @@ SECStatus AuthCertificateHook(void* arg, PRFileDesc* fd, PRBool checkSig,
|
|||
// return a stapled OCSP response.
|
||||
// We don't own these pointers.
|
||||
const SECItemArray* csa = SSL_PeerStapledOCSPResponses(fd);
|
||||
SECItem* stapledOCSPResponse = nullptr;
|
||||
Maybe<nsTArray<uint8_t>> stapledOCSPResponse;
|
||||
// we currently only support single stapled responses
|
||||
if (csa && csa->len == 1) {
|
||||
stapledOCSPResponse = &csa->items[0];
|
||||
stapledOCSPResponse.emplace();
|
||||
stapledOCSPResponse->SetCapacity(csa->items[0].len);
|
||||
stapledOCSPResponse->AppendElements(csa->items[0].data, csa->items[0].len);
|
||||
}
|
||||
|
||||
const SECItem* sctsFromTLSExtension = SSL_PeerSignedCertTimestamps(fd);
|
||||
if (sctsFromTLSExtension && sctsFromTLSExtension->len == 0) {
|
||||
// SSL_PeerSignedCertTimestamps returns null on error and empty item
|
||||
// when no extension was returned by the server. We always use null when
|
||||
// no extension was received (for whatever reason), ignoring errors.
|
||||
sctsFromTLSExtension = nullptr;
|
||||
Maybe<nsTArray<uint8_t>> sctsFromTLSExtension;
|
||||
const SECItem* sctsFromTLSExtensionSECItem = SSL_PeerSignedCertTimestamps(fd);
|
||||
if (sctsFromTLSExtensionSECItem) {
|
||||
sctsFromTLSExtension.emplace();
|
||||
sctsFromTLSExtension->SetCapacity(sctsFromTLSExtensionSECItem->len);
|
||||
sctsFromTLSExtension->AppendElements(sctsFromTLSExtensionSECItem->data,
|
||||
sctsFromTLSExtensionSECItem->len);
|
||||
}
|
||||
|
||||
uint32_t providerFlags = 0;
|
||||
|
|
|
|||
|
|
@ -1045,17 +1045,22 @@ static void RebuildVerifiedCertificateInformation(PRFileDesc* fd,
|
|||
|
||||
// We don't own these pointers.
|
||||
const SECItemArray* stapledOCSPResponses = SSL_PeerStapledOCSPResponses(fd);
|
||||
const SECItem* stapledOCSPResponse = nullptr;
|
||||
Maybe<nsTArray<uint8_t>> stapledOCSPResponse;
|
||||
// we currently only support single stapled responses
|
||||
if (stapledOCSPResponses && stapledOCSPResponses->len == 1) {
|
||||
stapledOCSPResponse = &stapledOCSPResponses->items[0];
|
||||
stapledOCSPResponse.emplace();
|
||||
stapledOCSPResponse->SetCapacity(stapledOCSPResponses->items[0].len);
|
||||
stapledOCSPResponse->AppendElements(stapledOCSPResponses->items[0].data,
|
||||
stapledOCSPResponses->items[0].len);
|
||||
}
|
||||
const SECItem* sctsFromTLSExtension = SSL_PeerSignedCertTimestamps(fd);
|
||||
if (sctsFromTLSExtension && sctsFromTLSExtension->len == 0) {
|
||||
// SSL_PeerSignedCertTimestamps returns null on error and empty item
|
||||
// when no extension was returned by the server. We always use null when
|
||||
// no extension was received (for whatever reason), ignoring errors.
|
||||
sctsFromTLSExtension = nullptr;
|
||||
|
||||
Maybe<nsTArray<uint8_t>> sctsFromTLSExtension;
|
||||
const SECItem* sctsFromTLSExtensionSECItem = SSL_PeerSignedCertTimestamps(fd);
|
||||
if (sctsFromTLSExtensionSECItem) {
|
||||
sctsFromTLSExtension.emplace();
|
||||
sctsFromTLSExtension->SetCapacity(sctsFromTLSExtensionSECItem->len);
|
||||
sctsFromTLSExtension->AppendElements(sctsFromTLSExtensionSECItem->data,
|
||||
sctsFromTLSExtensionSECItem->len);
|
||||
}
|
||||
|
||||
int flags = mozilla::psm::CertVerifier::FLAG_LOCAL_ONLY;
|
||||
|
|
|
|||
|
|
@ -1143,8 +1143,8 @@ nsresult VerifyCertAtTime(nsIX509Cert* aCert,
|
|||
if (!aHostname.IsVoid() && aUsage == certificateUsageSSLServer) {
|
||||
result = certVerifier->VerifySSLServerCert(
|
||||
nssCert,
|
||||
nullptr, // stapledOCSPResponse
|
||||
nullptr, // sctsFromTLSExtension
|
||||
Maybe<nsTArray<uint8_t>>(), // stapledOCSPResponse
|
||||
Maybe<nsTArray<uint8_t>>(), // sctsFromTLSExtension
|
||||
aTime,
|
||||
nullptr, // Assume no context
|
||||
aHostname, resultChain,
|
||||
|
|
@ -1156,8 +1156,8 @@ nsresult VerifyCertAtTime(nsIX509Cert* aCert,
|
|||
nssCert.get(), aUsage, aTime,
|
||||
nullptr, // Assume no context
|
||||
aHostname.IsVoid() ? nullptr : flatHostname.get(), resultChain, aFlags,
|
||||
nullptr, // stapledOCSPResponse
|
||||
nullptr, // sctsFromTLSExtension
|
||||
Maybe<nsTArray<uint8_t>>(), // stapledOCSPResponse
|
||||
Maybe<nsTArray<uint8_t>>(), // sctsFromTLSExtension
|
||||
OriginAttributes(), &evOidPolicy);
|
||||
}
|
||||
|
||||
|
|
|
|||
|
|
@ -464,15 +464,15 @@ nsNSSSocketInfo::IsAcceptableForHost(const nsACString& hostname,
|
|||
}
|
||||
CertVerifier::Flags flags = CertVerifier::FLAG_LOCAL_ONLY;
|
||||
UniqueCERTCertList unusedBuiltChain;
|
||||
mozilla::pkix::Result result =
|
||||
certVerifier->VerifySSLServerCert(nssCert,
|
||||
nullptr, // stapledOCSPResponse
|
||||
nullptr, // sctsFromTLSExtension
|
||||
mozilla::pkix::Now(),
|
||||
nullptr, // pinarg
|
||||
hostname, unusedBuiltChain,
|
||||
false, // save intermediates
|
||||
flags);
|
||||
mozilla::pkix::Result result = certVerifier->VerifySSLServerCert(
|
||||
nssCert,
|
||||
Maybe<nsTArray<uint8_t>>(), // stapledOCSPResponse
|
||||
Maybe<nsTArray<uint8_t>>(), // sctsFromTLSExtension
|
||||
mozilla::pkix::Now(),
|
||||
nullptr, // pinarg
|
||||
hostname, unusedBuiltChain,
|
||||
false, // save intermediates
|
||||
flags);
|
||||
if (result != mozilla::pkix::Success) {
|
||||
return NS_OK;
|
||||
}
|
||||
|
|
|
|||
|
|
@ -1051,15 +1051,15 @@ nsresult nsSiteSecurityService::ProcessPKPHeader(
|
|||
// anyway).
|
||||
CertVerifier::Flags flags = CertVerifier::FLAG_LOCAL_ONLY |
|
||||
CertVerifier::FLAG_TLS_IGNORE_STATUS_REQUEST;
|
||||
if (certVerifier->VerifySSLServerCert(nssCert,
|
||||
nullptr, // stapledOCSPResponse
|
||||
nullptr, // sctsFromTLSExtension
|
||||
now, nullptr, // pinarg
|
||||
host, // hostname
|
||||
certList,
|
||||
false, // don't store intermediates
|
||||
flags, aOriginAttributes) !=
|
||||
mozilla::pkix::Success) {
|
||||
if (certVerifier->VerifySSLServerCert(
|
||||
nssCert,
|
||||
Maybe<nsTArray<uint8_t>>(), // stapledOCSPResponse
|
||||
Maybe<nsTArray<uint8_t>>(), // sctsFromTLSExtension
|
||||
now, nullptr, // pinarg
|
||||
host, // hostname
|
||||
certList,
|
||||
false, // don't store intermediates
|
||||
flags, aOriginAttributes) != mozilla::pkix::Success) {
|
||||
return NS_ERROR_FAILURE;
|
||||
}
|
||||
|
||||
|
|
|
|||
Загрузка…
Ссылка в новой задаче