summaryrefslogtreecommitdiffstats
path: root/security/manager/ssl/TLSClientAuthCertSelection.h
diff options
context:
space:
mode:
authorDaniel Baumann <daniel.baumann@progress-linux.org>2024-04-19 01:47:29 +0000
committerDaniel Baumann <daniel.baumann@progress-linux.org>2024-04-19 01:47:29 +0000
commit0ebf5bdf043a27fd3dfb7f92e0cb63d88954c44d (patch)
treea31f07c9bcca9d56ce61e9a1ffd30ef350d513aa /security/manager/ssl/TLSClientAuthCertSelection.h
parentInitial commit. (diff)
downloadfirefox-esr-upstream/115.8.0esr.tar.xz
firefox-esr-upstream/115.8.0esr.zip
Adding upstream version 115.8.0esr.upstream/115.8.0esr
Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
Diffstat (limited to 'security/manager/ssl/TLSClientAuthCertSelection.h')
-rw-r--r--security/manager/ssl/TLSClientAuthCertSelection.h120
1 files changed, 120 insertions, 0 deletions
diff --git a/security/manager/ssl/TLSClientAuthCertSelection.h b/security/manager/ssl/TLSClientAuthCertSelection.h
new file mode 100644
index 0000000000..c1e90fc775
--- /dev/null
+++ b/security/manager/ssl/TLSClientAuthCertSelection.h
@@ -0,0 +1,120 @@
+/* -*- Mode: C++; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*-
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+#ifndef SECURITY_MANAGER_SSL_TLSCLIENTAUTHCERTSELECTION_H_
+#define SECURITY_MANAGER_SSL_TLSCLIENTAUTHCERTSELECTION_H_
+
+#include "NSSSocketControl.h"
+#include "nsIX509Cert.h"
+#include "nsNSSIOLayer.h"
+#include "nsThreadUtils.h"
+#include "ssl.h"
+
+class NSSSocketControl;
+
+// NSS callback to select a client authentication certificate. See documentation
+// at the top of TLSClientAuthCertSelection.cpp.
+SECStatus SSLGetClientAuthDataHook(void* arg, PRFileDesc* socket,
+ CERTDistNames* caNames,
+ CERTCertificate** pRetCert,
+ SECKEYPrivateKey** pRetKey);
+
+// Base class for continuing the operation of selecting a client authentication
+// certificate. Should not be used directly.
+class ClientAuthCertificateSelectedBase : public mozilla::Runnable {
+ public:
+ ClientAuthCertificateSelectedBase()
+ : Runnable("ClientAuthCertificateSelectedBase") {}
+
+ // Call to indicate that a client authentication certificate has been
+ // selected.
+ void SetSelectedClientAuthData(
+ nsTArray<uint8_t>&& selectedCertBytes,
+ nsTArray<nsTArray<uint8_t>>&& selectedCertChainBytes);
+
+ protected:
+ nsTArray<uint8_t> mSelectedCertBytes;
+ // The bytes of the certificates that form a chain from the selected
+ // certificate to a root. Necessary so NSS can include them in the TLS
+ // handshake (see note about mClientCertChain in NSSSocketControl).
+ nsTArray<nsTArray<uint8_t>> mSelectedCertChainBytes;
+};
+
+class ClientAuthCertificateSelected : public ClientAuthCertificateSelectedBase {
+ public:
+ explicit ClientAuthCertificateSelected(NSSSocketControl* socketInfo)
+ : mSocketInfo(socketInfo) {}
+
+ NS_IMETHOD Run() override;
+
+ private:
+ RefPtr<NSSSocketControl> mSocketInfo;
+};
+
+// This class is used to store the needed information for invoking the client
+// cert selection UI.
+class ClientAuthInfo final {
+ public:
+ explicit ClientAuthInfo(const nsACString& hostName,
+ const mozilla::OriginAttributes& originAttributes,
+ int32_t port, uint32_t providerFlags,
+ uint32_t providerTlsFlags);
+ ~ClientAuthInfo() = default;
+ ClientAuthInfo(ClientAuthInfo&& aOther) noexcept;
+
+ const nsACString& HostName() const;
+ const mozilla::OriginAttributes& OriginAttributesRef() const;
+ int32_t Port() const;
+ uint32_t ProviderFlags() const;
+ uint32_t ProviderTlsFlags() const;
+
+ ClientAuthInfo(const ClientAuthInfo&) = delete;
+ void operator=(const ClientAuthInfo&) = delete;
+
+ private:
+ nsCString mHostName;
+ mozilla::OriginAttributes mOriginAttributes;
+ int32_t mPort;
+ uint32_t mProviderFlags;
+ uint32_t mProviderTlsFlags;
+};
+
+// Helper runnable to select a client authentication certificate. Gets created
+// on the socket thread or an IPC thread, runs on the main thread, and then runs
+// its continuation on the socket thread.
+class SelectClientAuthCertificate : public mozilla::Runnable {
+ public:
+ SelectClientAuthCertificate(
+ ClientAuthInfo&& info, mozilla::UniqueCERTCertificate&& serverCert,
+ nsTArray<nsTArray<uint8_t>>&& caNames,
+ mozilla::UniqueCERTCertList&& potentialClientCertificates,
+ ClientAuthCertificateSelectedBase* continuation)
+ : Runnable("SelectClientAuthCertificate"),
+ mInfo(std::move(info)),
+ mServerCert(std::move(serverCert)),
+ mCANames(std::move(caNames)),
+ mPotentialClientCertificates(std::move(potentialClientCertificates)),
+ mContinuation(continuation) {}
+
+ NS_IMETHOD Run() override;
+
+ private:
+ mozilla::pkix::Result BuildChainForCertificate(
+ nsTArray<uint8_t>& certBytes,
+ nsTArray<nsTArray<uint8_t>>& certChainBytes);
+ void DoSelectClientAuthCertificate();
+
+ ClientAuthInfo mInfo;
+ mozilla::UniqueCERTCertificate mServerCert;
+ nsTArray<nsTArray<uint8_t>> mCANames;
+ mozilla::UniqueCERTCertList mPotentialClientCertificates;
+ RefPtr<ClientAuthCertificateSelectedBase> mContinuation;
+
+ nsTArray<nsTArray<uint8_t>> mEnterpriseCertificates;
+ nsTArray<uint8_t> mSelectedCertBytes;
+};
+
+#endif // SECURITY_MANAGER_SSL_TLSCLIENTAUTHCERTSELECTION_H_