gecko-dev/security/manager/tools/makeCNNICHashes.js

262 строки
8.9 KiB
JavaScript

/* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/. */
// How to run this file:
// 1. [obtain CNNIC-issued certificates to be whitelisted]
// 2. [obtain firefox source code]
// 3. [build/obtain firefox binaries]
// 4. run `[path to]/run-mozilla.sh [path to]/xpcshell makeCNNICHashes.js \
// [path to]/certlist'
// where certlist is a file containing a list of paths to certificates to
// be included in the whitelist
const Cc = Components.classes;
const Ci = Components.interfaces;
const Cu = Components.utils;
let gCertDB = Cc["@mozilla.org/security/x509certdb;1"]
.getService(Ci.nsIX509CertDB);
let { NetUtil } = Cu.import("resource://gre/modules/NetUtil.jsm", {});
let { Services } = Cu.import("resource://gre/modules/Services.jsm", {});
const HEADER = "// This Source Code Form is subject to the terms of the Mozilla Public\n" +
"// License, v. 2.0. If a copy of the MPL was not distributed with this\n" +
"// file, You can obtain one at http://mozilla.org/MPL/2.0/.\n" +
"//\n" +
"//***************************************************************************\n" +
"// This file was automatically generated by makeCNNICHashes.js. It shouldn't\n" +
"// need to be manually edited.\n" +
"//***************************************************************************\n" +
"\n";
const PREAMBLE = "#define CNNIC_WHITELIST_HASH_LEN 32\n\n" +
"struct WhitelistedCNNICHash {\n" +
" const uint8_t hash[CNNIC_WHITELIST_HASH_LEN];\n" +
"};\n\n" +
"static const struct WhitelistedCNNICHash WhitelistedCNNICHashes[] = {\n";
const POSTAMBLE = "};\n";
function writeString(fos, string) {
fos.write(string, string.length);
}
// fingerprint is in the form "00:11:22:..."
function hexSlice(fingerprint, start, end) {
let hexBytes = fingerprint.split(":");
let ret = "";
for (let i = start; i < end; i++) {
let hex = hexBytes[i];
ret += "0x" + hex;
if (i < end - 1) {
ret += ", ";
}
}
return ret;
}
// Write the C++ header file
function writeHashes(certs, lastValidTime, fos) {
writeString(fos, HEADER);
writeString(fos, `// This file may be removed after ${new Date(lastValidTime)}\n\n`);
writeString(fos, PREAMBLE);
certs.forEach(function(cert) {
writeString(fos, " {\n");
writeString(fos, " { " + hexSlice(cert.sha256Fingerprint, 0, 16) + ",\n");
writeString(fos, " " + hexSlice(cert.sha256Fingerprint, 16, 32) + " },\n");
writeString(fos, " },\n");
});
writeString(fos, POSTAMBLE);
}
function readFileContents(file) {
let fstream = Cc["@mozilla.org/network/file-input-stream;1"]
.createInstance(Ci.nsIFileInputStream);
fstream.init(file, -1, 0, 0);
let data = NetUtil.readInputStreamToString(fstream, fstream.available());
fstream.close();
return data;
}
function relativePathToFile(path) {
let currentDirectory = Cc["@mozilla.org/file/directory_service;1"]
.getService(Ci.nsIProperties)
.get("CurWorkD", Ci.nsILocalFile);
let file = Cc["@mozilla.org/file/local;1"].createInstance(Ci.nsILocalFile);
file.initWithPath(currentDirectory.path + "/" + path);
return file;
}
function pathToFile(path) {
let file = relativePathToFile(path);
if (!file.exists()) {
// Fall back to trying absolute path
file = Cc["@mozilla.org/file/local;1"].createInstance(Ci.nsILocalFile);
file.initWithPath(path);
}
return file;
}
// punt on dealing with leap-years
const sixYearsInMilliseconds = 6 * 366 * 24 * 60 * 60 * 1000;
function loadCertificates(certFile) {
let nowInMilliseconds = (new Date()).getTime();
// months are 0-indexed, so April is month 3 :(
let april1InMilliseconds = (new Date(2015, 3, 1)).getTime();
let latestNotAfter = nowInMilliseconds;
let certs = [];
let certMap = {};
let invalidCerts = [];
let paths = readFileContents(certFile).split("\n");
for (let path of paths) {
if (!path) {
continue;
}
let certData = readFileContents(pathToFile(path));
let cert = null;
try {
cert = gCertDB.constructX509FromBase64(certData);
} catch (e) {}
if (!cert) {
cert = gCertDB.constructX509(certData, certData.length);
}
// Don't add multiple copies of any particular certificate.
if (cert.sha256Fingerprint in certMap) {
continue;
}
certMap[cert.sha256Fingerprint] = true;
// If we can't verify the certificate, don't include it. Unfortunately, if
// a CNNIC-issued certificate wasn't previously on the whitelist but it
// otherwise verifies successfully, verifyCertNow will return
// SEC_ERROR_REVOKED_CERTIFICATE, so we count that as verifying
// successfully. If the certificate is later revoked by CNNIC, the user
// will see that when they attempt to connect to a site using it and we do
// normal revocation checking.
let errorCode = gCertDB.verifyCertNow(cert, 2 /* SSL Server */,
Ci.nsIX509CertDB.LOCAL_ONLY, null,
{}, {});
if (errorCode != 0 &&
errorCode != -8180 /* SEC_ERROR_REVOKED_CERTIFICATE */) {
continue;
}
let durationMilliseconds = (cert.validity.notAfter - cert.validity.notBefore) / 1000;
let notBeforeMilliseconds = cert.validity.notBefore / 1000;
let notAfterMilliseconds = cert.validity.notAfter / 1000;
// Only consider certificates that were issued before 1 April 2015, haven't
// expired, and have a validity period shorter than 6 years (there is a
// delegated OCSP responder certificate with a validity period of 6 years
// that should be on the whitelist).
if (notBeforeMilliseconds < april1InMilliseconds &&
notAfterMilliseconds > nowInMilliseconds &&
durationMilliseconds < sixYearsInMilliseconds) {
certs.push(cert);
if (notAfterMilliseconds > latestNotAfter) {
latestNotAfter = notAfterMilliseconds;
}
}
if (durationMilliseconds >= sixYearsInMilliseconds) {
invalidCerts.push(cert);
}
}
return { certs: certs,
lastValidTime: latestNotAfter,
invalidCerts: invalidCerts };
}
// Expects something like "00:11:22:...", returns a string of bytes.
function hexToBinaryString(hexString) {
let hexBytes = hexString.split(":");
let result = "";
for (let hexByte of hexBytes) {
result += String.fromCharCode(parseInt(hexByte, 16));
}
return result;
}
function compareCertificatesByHash(certA, certB) {
let aBin = hexToBinaryString(certA.sha256Fingerprint);
let bBin = hexToBinaryString(certB.sha256Fingerprint);
if (aBin < bBin) {
return -1;
}
if (aBin > bBin) {
return 1;
}
return 0;
}
function certToPEM(cert) {
let der = cert.getRawDER({});
let derString = '';
for (let i = 0; i < der.length; i++) {
derString += String.fromCharCode(der[i]);
}
let base64Lines = btoa(derString).replace(/(.{64})/g, "$1\n");
let output = "-----BEGIN CERTIFICATE-----\n";
for (let line of base64Lines.split("\n")) {
if (line.length > 0) {
output += line + "\n";
}
}
output += "-----END CERTIFICATE-----";
return output;
}
function loadIntermediates(intermediatesFile) {
let pem = readFileContents(intermediatesFile);
let intermediates = [];
let currentPEM = "";
for (let line of pem.split("\r\n")) {
if (line == "-----END CERTIFICATE-----") {
if (currentPEM) {
intermediates.push(gCertDB.constructX509FromBase64(currentPEM));
}
currentPEM = "";
continue;
}
if (line != "-----BEGIN CERTIFICATE-----") {
currentPEM += line;
}
}
return intermediates;
}
///////////////////////////////////////////////////////////////////////////////
///////////////////////////////////////////////////////////////////////////////
///////////////////////////////////////////////////////////////////////////////
if (arguments.length != 2) {
throw "Usage: makeCNNICHashes.js <intermediates file> <path to list of certificates>";
}
Services.prefs.setIntPref("security.OCSP.enabled", 0);
let intermediatesFile = pathToFile(arguments[0]);
let intermediates = loadIntermediates(intermediatesFile);
let certFile = pathToFile(arguments[1]);
let { certs, lastValidTime, invalidCerts } = loadCertificates(certFile);
dump("The following certificates were not included due to overlong validity periods:\n");
for (let cert of invalidCerts) {
dump(certToPEM(cert) + "\n");
}
// Sort the key hashes to allow for binary search.
certs.sort(compareCertificatesByHash);
// Write the output file.
let outFile = relativePathToFile("CNNICHashWhitelist.inc");
if (!outFile.exists()) {
outFile.create(Ci.nsIFile.NORMAL_FILE_TYPE, 0644);
}
let outStream = Cc["@mozilla.org/network/file-output-stream;1"]
.createInstance(Ci.nsIFileOutputStream);
outStream.init(outFile, -1, 0, 0);
writeHashes(certs, lastValidTime, outStream);
outStream.close();