diff options
Diffstat (limited to 'security/certverifier/NSSCertDBTrustDomain.cpp')
-rw-r--r-- | security/certverifier/NSSCertDBTrustDomain.cpp | 2029 |
1 files changed, 2029 insertions, 0 deletions
diff --git a/security/certverifier/NSSCertDBTrustDomain.cpp b/security/certverifier/NSSCertDBTrustDomain.cpp new file mode 100644 index 0000000000..0c128eabf2 --- /dev/null +++ b/security/certverifier/NSSCertDBTrustDomain.cpp @@ -0,0 +1,2029 @@ +/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */ +/* vim: set ts=8 sts=2 et sw=2 tw=80: */ +/* This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ + +#include "NSSCertDBTrustDomain.h" + +#include <stdint.h> +#include <utility> + +#include "CRLiteTimestamp.h" +#include "ExtendedValidation.h" +#include "MultiLogCTVerifier.h" +#include "NSSErrorsService.h" +#include "PublicKeyPinningService.h" +#include "cert.h" +#include "cert_storage/src/cert_storage.h" +#include "certdb.h" +#include "mozilla/AppShutdown.h" +#include "mozilla/Assertions.h" +#include "mozilla/Casting.h" +#include "mozilla/ClearOnShutdown.h" +#include "mozilla/Logging.h" +#include "mozilla/PodOperations.h" +#include "mozilla/Services.h" +#include "mozilla/StaticPrefs_security.h" +#include "mozilla/SyncRunnable.h" +#include "mozilla/TimeStamp.h" +#include "mozilla/Unused.h" +#include "mozpkix/Result.h" +#include "mozpkix/pkix.h" +#include "mozpkix/pkixnss.h" +#include "mozpkix/pkixutil.h" +#include "nsCRTGlue.h" +#include "nsIObserverService.h" +#include "nsNetCID.h" +#include "nsNSSCallbacks.h" +#include "nsNSSCertHelper.h" +#include "nsNSSCertificate.h" +#include "nsNSSCertificateDB.h" +#include "nsNSSIOLayer.h" +#include "nsPrintfCString.h" +#include "nsServiceManagerUtils.h" +#include "nsThreadUtils.h" +#include "nss.h" +#include "pk11pub.h" +#include "prerror.h" +#include "secder.h" +#include "secerr.h" + +#ifdef MOZ_WIDGET_COCOA +# include "nsCocoaFeatures.h" +#endif + +#include "TrustOverrideUtils.h" +#include "TrustOverride-AppleGoogleDigiCertData.inc" +#include "TrustOverride-SymantecData.inc" + +using namespace mozilla; +using namespace mozilla::ct; +using namespace mozilla::pkix; + +extern LazyLogModule gCertVerifierLog; + +static const uint64_t ServerFailureDelaySeconds = 5 * 60; + +namespace mozilla { +namespace psm { + +NSSCertDBTrustDomain::NSSCertDBTrustDomain( + SECTrustType certDBTrustType, OCSPFetching ocspFetching, + OCSPCache& ocspCache, + /*optional but shouldn't be*/ void* pinArg, TimeDuration ocspTimeoutSoft, + TimeDuration ocspTimeoutHard, uint32_t certShortLifetimeInDays, + unsigned int minRSABits, ValidityCheckingMode validityCheckingMode, + NetscapeStepUpPolicy netscapeStepUpPolicy, CRLiteMode crliteMode, + const OriginAttributes& originAttributes, + const Vector<Input>& thirdPartyRootInputs, + const Vector<Input>& thirdPartyIntermediateInputs, + const Maybe<nsTArray<nsTArray<uint8_t>>>& extraCertificates, + /*out*/ nsTArray<nsTArray<uint8_t>>& builtChain, + /*optional*/ PinningTelemetryInfo* pinningTelemetryInfo, + /*optional*/ const char* hostname) + : mCertDBTrustType(certDBTrustType), + mOCSPFetching(ocspFetching), + mOCSPCache(ocspCache), + mPinArg(pinArg), + mOCSPTimeoutSoft(ocspTimeoutSoft), + mOCSPTimeoutHard(ocspTimeoutHard), + mCertShortLifetimeInDays(certShortLifetimeInDays), + mMinRSABits(minRSABits), + mValidityCheckingMode(validityCheckingMode), + mNetscapeStepUpPolicy(netscapeStepUpPolicy), + mCRLiteMode(crliteMode), + mSawDistrustedCAByPolicyError(false), + mOriginAttributes(originAttributes), + mThirdPartyRootInputs(thirdPartyRootInputs), + mThirdPartyIntermediateInputs(thirdPartyIntermediateInputs), + mExtraCertificates(extraCertificates), + mBuiltChain(builtChain), + mIsBuiltChainRootBuiltInRoot(false), + mPinningTelemetryInfo(pinningTelemetryInfo), + mHostname(hostname), + mCertStorage(do_GetService(NS_CERT_STORAGE_CID)), + mOCSPStaplingStatus(CertVerifier::OCSP_STAPLING_NEVER_CHECKED), + mSCTListFromCertificate(), + mSCTListFromOCSPStapling(), + mBuiltInRootsModule(SECMOD_FindModule(kRootModuleName)), + mOCSPFetchStatus(OCSPFetchStatus::NotFetched) {} + +static void FindRootsWithSubject(UniqueSECMODModule& rootsModule, + SECItem subject, + /*out*/ nsTArray<nsTArray<uint8_t>>& roots) { + MOZ_ASSERT(rootsModule); + AutoSECMODListReadLock lock; + for (int slotIndex = 0; slotIndex < rootsModule->slotCount; slotIndex++) { + CERTCertificateList* rawResults = nullptr; + if (PK11_FindRawCertsWithSubject(rootsModule->slots[slotIndex], &subject, + &rawResults) != SECSuccess) { + continue; + } + // rawResults == nullptr means we didn't find any matching certificates + if (!rawResults) { + continue; + } + UniqueCERTCertificateList results(rawResults); + for (int certIndex = 0; certIndex < results->len; certIndex++) { + nsTArray<uint8_t> root; + root.AppendElements(results->certs[certIndex].data, + results->certs[certIndex].len); + roots.AppendElement(std::move(root)); + } + } +} + +// A self-signed issuer certificate should never be necessary in order to build +// a trusted certificate chain unless it is a trust anchor. This is because if +// it were necessary, there would exist another certificate with the same +// subject and public key that is also a valid issing certificate. Given this +// certificate, it is possible to build another chain using just it instead of +// it and the self-signed certificate. This is only true as long as the +// certificate extensions we support are restrictive rather than additive in +// terms of the rest of the chain (for example, we don't support policy mapping +// and we ignore any SCT information in intermediates). +static bool ShouldSkipSelfSignedNonTrustAnchor(TrustDomain& trustDomain, + Input certDER) { + BackCert cert(certDER, EndEntityOrCA::MustBeCA, nullptr); + if (cert.Init() != Success) { + return false; // turn any failures into "don't skip trying this cert" + } + // If subject != issuer, this isn't a self-signed cert. + if (!InputsAreEqual(cert.GetSubject(), cert.GetIssuer())) { + return false; + } + TrustLevel trust; + if (trustDomain.GetCertTrust(EndEntityOrCA::MustBeCA, CertPolicyId::anyPolicy, + certDER, trust) != Success) { + return false; + } + // If the trust for this certificate is anything other than "inherit", we want + // to process it like normal. + if (trust != TrustLevel::InheritsTrust) { + return false; + } + if (VerifySignedData(trustDomain, cert.GetSignedData(), + cert.GetSubjectPublicKeyInfo()) != Success) { + return false; + } + // This is a self-signed, non-trust-anchor certificate, so we shouldn't use it + // for path building. See bug 1056341. + return true; +} + +static Result CheckCandidates(TrustDomain& trustDomain, + TrustDomain::IssuerChecker& checker, + nsTArray<Input>& candidates, + Input* nameConstraintsInputPtr, bool& keepGoing) { + for (Input candidate : candidates) { + // Stop path building if the program is shutting down. + if (AppShutdown::IsInOrBeyond(ShutdownPhase::AppShutdownConfirmed)) { + keepGoing = false; + return Success; + } + if (ShouldSkipSelfSignedNonTrustAnchor(trustDomain, candidate)) { + continue; + } + Result rv = checker.Check(candidate, nameConstraintsInputPtr, keepGoing); + if (rv != Success) { + return rv; + } + if (!keepGoing) { + return Success; + } + } + + return Success; +} + +Result NSSCertDBTrustDomain::FindIssuer(Input encodedIssuerName, + IssuerChecker& checker, Time) { + SECItem encodedIssuerNameItem = UnsafeMapInputToSECItem(encodedIssuerName); + // Handle imposed name constraints, if any. + ScopedAutoSECItem nameConstraints; + Input nameConstraintsInput; + Input* nameConstraintsInputPtr = nullptr; + SECStatus srv = + CERT_GetImposedNameConstraints(&encodedIssuerNameItem, &nameConstraints); + if (srv == SECSuccess) { + if (nameConstraintsInput.Init(nameConstraints.data, nameConstraints.len) != + Success) { + return Result::FATAL_ERROR_LIBRARY_FAILURE; + } + nameConstraintsInputPtr = &nameConstraintsInput; + } else if (PR_GetError() != SEC_ERROR_EXTENSION_NOT_FOUND) { + return Result::FATAL_ERROR_LIBRARY_FAILURE; + } + + // First try all relevant certificates known to Gecko, which avoids calling + // CERT_CreateSubjectCertList, because that can be expensive. + nsTArray<Input> geckoRootCandidates; + nsTArray<Input> geckoIntermediateCandidates; + + if (!mCertStorage) { + return Result::FATAL_ERROR_LIBRARY_FAILURE; + } + nsTArray<uint8_t> subject; + subject.AppendElements(encodedIssuerName.UnsafeGetData(), + encodedIssuerName.GetLength()); + nsTArray<nsTArray<uint8_t>> certs; + nsresult rv = mCertStorage->FindCertsBySubject(subject, certs); + if (NS_FAILED(rv)) { + return Result::FATAL_ERROR_LIBRARY_FAILURE; + } + for (auto& cert : certs) { + Input certDER; + Result rv = certDER.Init(cert.Elements(), cert.Length()); + if (rv != Success) { + continue; // probably too big + } + // Currently we're only expecting intermediate certificates in cert storage. + geckoIntermediateCandidates.AppendElement(std::move(certDER)); + } + + // We might not have this module if e.g. we're on a Linux distribution that + // does something unexpected. + nsTArray<nsTArray<uint8_t>> builtInRoots; + if (mBuiltInRootsModule) { + FindRootsWithSubject(mBuiltInRootsModule, encodedIssuerNameItem, + builtInRoots); + for (const auto& root : builtInRoots) { + Input rootInput; + Result rv = rootInput.Init(root.Elements(), root.Length()); + if (rv != Success) { + continue; // probably too big + } + geckoRootCandidates.AppendElement(rootInput); + } + } else { + MOZ_LOG(gCertVerifierLog, LogLevel::Debug, + ("NSSCertDBTrustDomain::FindIssuer: no built-in roots module")); + } + + for (const auto& thirdPartyRootInput : mThirdPartyRootInputs) { + BackCert root(thirdPartyRootInput, EndEntityOrCA::MustBeCA, nullptr); + Result rv = root.Init(); + if (rv != Success) { + continue; + } + // Filter out 3rd party roots that can't be issuers we're looking for + // because the subject distinguished name doesn't match. This prevents + // mozilla::pkix from accumulating spurious errors during path building. + if (!InputsAreEqual(encodedIssuerName, root.GetSubject())) { + continue; + } + geckoRootCandidates.AppendElement(thirdPartyRootInput); + } + + for (const auto& thirdPartyIntermediateInput : + mThirdPartyIntermediateInputs) { + BackCert intermediate(thirdPartyIntermediateInput, EndEntityOrCA::MustBeCA, + nullptr); + Result rv = intermediate.Init(); + if (rv != Success) { + continue; + } + // Filter out 3rd party intermediates that can't be issuers we're looking + // for because the subject distinguished name doesn't match. This prevents + // mozilla::pkix from accumulating spurious errors during path building. + if (!InputsAreEqual(encodedIssuerName, intermediate.GetSubject())) { + continue; + } + geckoIntermediateCandidates.AppendElement(thirdPartyIntermediateInput); + } + + if (mExtraCertificates.isSome()) { + for (const auto& extraCert : *mExtraCertificates) { + Input certInput; + Result rv = certInput.Init(extraCert.Elements(), extraCert.Length()); + if (rv != Success) { + continue; + } + BackCert cert(certInput, EndEntityOrCA::MustBeCA, nullptr); + rv = cert.Init(); + if (rv != Success) { + continue; + } + // Filter out certificates that can't be issuers we're looking for because + // the subject distinguished name doesn't match. This prevents + // mozilla::pkix from accumulating spurious errors during path building. + if (!InputsAreEqual(encodedIssuerName, cert.GetSubject())) { + continue; + } + // We assume that extra certificates (presumably from the TLS handshake) + // are intermediates, since sending trust anchors would be superfluous. + geckoIntermediateCandidates.AppendElement(certInput); + } + } + + // Try all root certs first and then all (presumably) intermediates. + geckoRootCandidates.AppendElements(std::move(geckoIntermediateCandidates)); + + bool keepGoing = true; + Result result = CheckCandidates(*this, checker, geckoRootCandidates, + nameConstraintsInputPtr, keepGoing); + if (result != Success) { + return result; + } + if (!keepGoing) { + return Success; + } + + // Synchronously dispatch a task to the socket thread to find + // CERTCertificates with the given subject. This involves querying NSS + // structures and databases, so it should be done on the socket thread. + nsTArray<nsTArray<uint8_t>> nssRootCandidates; + nsTArray<nsTArray<uint8_t>> nssIntermediateCandidates; + RefPtr<Runnable> getCandidatesTask = + NS_NewRunnableFunction("NSSCertDBTrustDomain::FindIssuer", [&]() { + if (AppShutdown::IsInOrBeyond(ShutdownPhase::AppShutdownConfirmed)) { + return; + } + // NSS seems not to differentiate between "no potential issuers found" + // and "there was an error trying to retrieve the potential issuers." We + // assume there was no error if CERT_CreateSubjectCertList returns + // nullptr. + UniqueCERTCertList candidates( + CERT_CreateSubjectCertList(nullptr, CERT_GetDefaultCertDB(), + &encodedIssuerNameItem, 0, false)); + if (candidates) { + for (CERTCertListNode* n = CERT_LIST_HEAD(candidates); + !CERT_LIST_END(n, candidates); n = CERT_LIST_NEXT(n)) { + nsTArray<uint8_t> candidate; + candidate.AppendElements(n->cert->derCert.data, + n->cert->derCert.len); + if (n->cert->isRoot) { + nssRootCandidates.AppendElement(std::move(candidate)); + } else { + nssIntermediateCandidates.AppendElement(std::move(candidate)); + } + } + } + }); + nsCOMPtr<nsIEventTarget> socketThread( + do_GetService(NS_SOCKETTRANSPORTSERVICE_CONTRACTID)); + if (!socketThread) { + return Result::FATAL_ERROR_LIBRARY_FAILURE; + } + rv = SyncRunnable::DispatchToThread(socketThread, getCandidatesTask); + if (NS_FAILED(rv)) { + return Result::FATAL_ERROR_LIBRARY_FAILURE; + } + + nsTArray<Input> nssCandidates; + for (const auto& rootCandidate : nssRootCandidates) { + Input certDER; + Result rv = certDER.Init(rootCandidate.Elements(), rootCandidate.Length()); + if (rv != Success) { + continue; // probably too big + } + nssCandidates.AppendElement(std::move(certDER)); + } + for (const auto& intermediateCandidate : nssIntermediateCandidates) { + Input certDER; + Result rv = certDER.Init(intermediateCandidate.Elements(), + intermediateCandidate.Length()); + if (rv != Success) { + continue; // probably too big + } + nssCandidates.AppendElement(std::move(certDER)); + } + + return CheckCandidates(*this, checker, nssCandidates, nameConstraintsInputPtr, + keepGoing); +} + +Result NSSCertDBTrustDomain::GetCertTrust(EndEntityOrCA endEntityOrCA, + const CertPolicyId& policy, + Input candidateCertDER, + /*out*/ TrustLevel& trustLevel) { + // Check the certificate against the OneCRL cert blocklist + if (!mCertStorage) { + return Result::FATAL_ERROR_LIBRARY_FAILURE; + } + + // The certificate blocklist currently only applies to TLS server + // certificates. + if (mCertDBTrustType == trustSSL) { + int16_t revocationState; + + nsTArray<uint8_t> issuerBytes; + nsTArray<uint8_t> serialBytes; + nsTArray<uint8_t> subjectBytes; + nsTArray<uint8_t> pubKeyBytes; + + Result result = + BuildRevocationCheckArrays(candidateCertDER, endEntityOrCA, issuerBytes, + serialBytes, subjectBytes, pubKeyBytes); + if (result != Success) { + return result; + } + + nsresult nsrv = mCertStorage->GetRevocationState( + issuerBytes, serialBytes, subjectBytes, pubKeyBytes, &revocationState); + if (NS_FAILED(nsrv)) { + return Result::FATAL_ERROR_LIBRARY_FAILURE; + } + + if (revocationState == nsICertStorage::STATE_ENFORCE) { + MOZ_LOG(gCertVerifierLog, LogLevel::Debug, + ("NSSCertDBTrustDomain: certificate is in blocklist")); + Telemetry::AccumulateCategorical( + Telemetry::LABELS_CERT_REVOCATION_MECHANISMS::OneCRL); + return Result::ERROR_REVOKED_CERTIFICATE; + } + } + + // This may be a third-party root. + for (const auto& thirdPartyRootInput : mThirdPartyRootInputs) { + if (InputsAreEqual(candidateCertDER, thirdPartyRootInput)) { + trustLevel = TrustLevel::TrustAnchor; + return Success; + } + } + + // This may be a third-party intermediate. + for (const auto& thirdPartyIntermediateInput : + mThirdPartyIntermediateInputs) { + if (InputsAreEqual(candidateCertDER, thirdPartyIntermediateInput)) { + trustLevel = TrustLevel::InheritsTrust; + return Success; + } + } + + // Synchronously dispatch a task to the socket thread to construct a + // CERTCertificate and get its trust from NSS. This involves querying NSS + // structures and databases, so it should be done on the socket thread. + Result result = Result::FATAL_ERROR_LIBRARY_FAILURE; + RefPtr<Runnable> getTrustTask = + NS_NewRunnableFunction("NSSCertDBTrustDomain::GetCertTrust", [&]() { + if (AppShutdown::IsInOrBeyond(ShutdownPhase::AppShutdownConfirmed)) { + result = Result::FATAL_ERROR_LIBRARY_FAILURE; + return; + } + // This would be cleaner and more efficient if we could get the trust + // information without constructing a CERTCertificate here, but NSS + // doesn't expose it in any other easy-to-use fashion. The use of + // CERT_NewTempCertificate to get a CERTCertificate shouldn't be a + // performance problem for certificates already known to NSS because NSS + // will just find the existing CERTCertificate in its in-memory cache + // and return it. For certificates not already in NSS (namely + // third-party roots and intermediates), we want to avoid calling + // CERT_NewTempCertificate repeatedly, so we've already checked if the + // candidate certificate is a third-party certificate, above. + SECItem candidateCertDERSECItem = + UnsafeMapInputToSECItem(candidateCertDER); + UniqueCERTCertificate candidateCert(CERT_NewTempCertificate( + CERT_GetDefaultCertDB(), &candidateCertDERSECItem, nullptr, false, + true)); + if (!candidateCert) { + result = MapPRErrorCodeToResult(PR_GetError()); + return; + } + // NB: CERT_GetCertTrust seems to be abusing SECStatus as a boolean, + // where SECSuccess means that there is a trust record and SECFailure + // means there is not a trust record. I looked at NSS's internal uses of + // CERT_GetCertTrust, and all that code uses the result as a boolean + // meaning "We have a trust record." + CERTCertTrust trust; + if (CERT_GetCertTrust(candidateCert.get(), &trust) == SECSuccess) { + uint32_t flags = SEC_GET_TRUST_FLAGS(&trust, mCertDBTrustType); + + // For DISTRUST, we use the CERTDB_TRUSTED or CERTDB_TRUSTED_CA bit, + // because we can have active distrust for either type of cert. Note + // that CERTDB_TERMINAL_RECORD means "stop trying to inherit trust" so + // if the relevant trust bit isn't set then that means the cert must + // be considered distrusted. + uint32_t relevantTrustBit = endEntityOrCA == EndEntityOrCA::MustBeCA + ? CERTDB_TRUSTED_CA + : CERTDB_TRUSTED; + if (((flags & (relevantTrustBit | CERTDB_TERMINAL_RECORD))) == + CERTDB_TERMINAL_RECORD) { + trustLevel = TrustLevel::ActivelyDistrusted; + result = Success; + return; + } + + // For TRUST, we use the CERTDB_TRUSTED_CA bit. + if (flags & CERTDB_TRUSTED_CA) { + if (policy.IsAnyPolicy()) { + trustLevel = TrustLevel::TrustAnchor; + result = Success; + return; + } + + nsTArray<uint8_t> certBytes(candidateCert->derCert.data, + candidateCert->derCert.len); + if (CertIsAuthoritativeForEVPolicy(certBytes, policy)) { + trustLevel = TrustLevel::TrustAnchor; + result = Success; + return; + } + } + } + trustLevel = TrustLevel::InheritsTrust; + result = Success; + }); + nsCOMPtr<nsIEventTarget> socketThread( + do_GetService(NS_SOCKETTRANSPORTSERVICE_CONTRACTID)); + if (!socketThread) { + return Result::FATAL_ERROR_LIBRARY_FAILURE; + } + nsresult rv = SyncRunnable::DispatchToThread(socketThread, getTrustTask); + if (NS_FAILED(rv)) { + return Result::FATAL_ERROR_LIBRARY_FAILURE; + } + return result; +} + +Result NSSCertDBTrustDomain::DigestBuf(Input item, DigestAlgorithm digestAlg, + /*out*/ uint8_t* digestBuf, + size_t digestBufLen) { + return DigestBufNSS(item, digestAlg, digestBuf, digestBufLen); +} + +TimeDuration NSSCertDBTrustDomain::GetOCSPTimeout() const { + switch (mOCSPFetching) { + case NSSCertDBTrustDomain::FetchOCSPForDVSoftFail: + return mOCSPTimeoutSoft; + case NSSCertDBTrustDomain::FetchOCSPForEV: + case NSSCertDBTrustDomain::FetchOCSPForDVHardFail: + return mOCSPTimeoutHard; + // The rest of these are error cases. Assert in debug builds, but return + // the soft timeout value in release builds. + case NSSCertDBTrustDomain::NeverFetchOCSP: + case NSSCertDBTrustDomain::LocalOnlyOCSPForEV: + MOZ_ASSERT_UNREACHABLE("we should never see this OCSPFetching type here"); + break; + } + + MOZ_ASSERT_UNREACHABLE("we're not handling every OCSPFetching type"); + return mOCSPTimeoutSoft; +} + +// Copied and modified from CERT_GetOCSPAuthorityInfoAccessLocation and +// CERT_GetGeneralNameByType. Returns a non-Result::Success result on error, +// Success with result.IsVoid() == true when an OCSP URI was not found, and +// Success with result.IsVoid() == false when an OCSP URI was found. +static Result GetOCSPAuthorityInfoAccessLocation(const UniquePLArenaPool& arena, + Input aiaExtension, + /*out*/ nsCString& result) { + MOZ_ASSERT(arena.get()); + if (!arena.get()) { + return Result::FATAL_ERROR_INVALID_ARGS; + } + + result.Assign(VoidCString()); + SECItem aiaExtensionSECItem = UnsafeMapInputToSECItem(aiaExtension); + CERTAuthInfoAccess** aia = + CERT_DecodeAuthInfoAccessExtension(arena.get(), &aiaExtensionSECItem); + if (!aia) { + return Result::ERROR_CERT_BAD_ACCESS_LOCATION; + } + for (size_t i = 0; aia[i]; ++i) { + if (SECOID_FindOIDTag(&aia[i]->method) == SEC_OID_PKIX_OCSP) { + // NSS chooses the **last** OCSP URL; we choose the **first** + CERTGeneralName* current = aia[i]->location; + if (!current) { + continue; + } + do { + if (current->type == certURI) { + const SECItem& location = current->name.other; + // (location.len + 1) must be small enough to fit into a uint32_t, + // but we limit it to a smaller bound to reduce OOM risk. + if (location.len > 1024 || memchr(location.data, 0, location.len)) { + // Reject embedded nulls. (NSS doesn't do this) + return Result::ERROR_CERT_BAD_ACCESS_LOCATION; + } + result.Assign(nsDependentCSubstring( + reinterpret_cast<const char*>(location.data), location.len)); + return Success; + } + current = CERT_GetNextGeneralName(current); + } while (current != aia[i]->location); + } + } + + return Success; +} + +NS_IMPL_ISUPPORTS(CRLiteTimestamp, nsICRLiteTimestamp) + +NS_IMETHODIMP +CRLiteTimestamp::GetLogID(nsTArray<uint8_t>& aLogID) { + aLogID.Clear(); + aLogID.AppendElements(mLogID); + return NS_OK; +} + +NS_IMETHODIMP +CRLiteTimestamp::GetTimestamp(uint64_t* aTimestamp) { + *aTimestamp = mTimestamp; + return NS_OK; +} + +Result BuildCRLiteTimestampArray( + Input sctExtension, + /*out*/ nsTArray<RefPtr<nsICRLiteTimestamp>>& timestamps) { + Input sctList; + Result rv = + ExtractSignedCertificateTimestampListFromExtension(sctExtension, sctList); + if (rv != Success) { + return rv; + } + std::vector<SignedCertificateTimestamp> decodedSCTs; + size_t decodingErrors; + DecodeSCTs(sctList, decodedSCTs, decodingErrors); + Unused << decodingErrors; + + for (const auto& sct : decodedSCTs) { + timestamps.AppendElement(new CRLiteTimestamp(sct)); + } + return Success; +} + +Result NSSCertDBTrustDomain::CheckCRLiteStash( + const nsTArray<uint8_t>& issuerSubjectPublicKeyInfoBytes, + const nsTArray<uint8_t>& serialNumberBytes) { + // This information is deterministic and has already been validated by our + // infrastructure (it comes from signed CRLs), so if the stash says a + // certificate is revoked, it is. + bool isRevokedByStash = false; + nsresult rv = mCertStorage->IsCertRevokedByStash( + issuerSubjectPublicKeyInfoBytes, serialNumberBytes, &isRevokedByStash); + if (NS_FAILED(rv)) { + MOZ_LOG(gCertVerifierLog, LogLevel::Debug, + ("NSSCertDBTrustDomain::CheckCRLiteStash: IsCertRevokedByStash " + "failed")); + return Result::FATAL_ERROR_LIBRARY_FAILURE; + } + if (isRevokedByStash) { + MOZ_LOG(gCertVerifierLog, LogLevel::Debug, + ("NSSCertDBTrustDomain::CheckCRLiteStash: IsCertRevokedByStash " + "returned true")); + return Result::ERROR_REVOKED_CERTIFICATE; + } + return Success; +} + +Result NSSCertDBTrustDomain::CheckCRLite( + const nsTArray<uint8_t>& issuerBytes, + const nsTArray<uint8_t>& issuerSubjectPublicKeyInfoBytes, + const nsTArray<uint8_t>& serialNumberBytes, + const nsTArray<RefPtr<nsICRLiteTimestamp>>& timestamps, + /*out*/ bool& filterCoversCertificate) { + filterCoversCertificate = false; + int16_t crliteRevocationState; + nsresult rv = mCertStorage->GetCRLiteRevocationState( + issuerBytes, issuerSubjectPublicKeyInfoBytes, serialNumberBytes, + timestamps, &crliteRevocationState); + if (NS_FAILED(rv)) { + MOZ_LOG(gCertVerifierLog, LogLevel::Debug, + ("NSSCertDBTrustDomain::CheckCRLite: CRLite call failed")); + return Result::FATAL_ERROR_LIBRARY_FAILURE; + } + MOZ_LOG(gCertVerifierLog, LogLevel::Debug, + ("NSSCertDBTrustDomain::CheckCRLite: CRLite check returned " + "state=%hd", + crliteRevocationState)); + + switch (crliteRevocationState) { + case nsICertStorage::STATE_ENFORCE: + filterCoversCertificate = true; + return Result::ERROR_REVOKED_CERTIFICATE; + case nsICertStorage::STATE_UNSET: + filterCoversCertificate = true; + return Success; + case nsICertStorage::STATE_NOT_ENROLLED: + filterCoversCertificate = false; + return Success; + case nsICertStorage::STATE_NOT_COVERED: + filterCoversCertificate = false; + return Success; + case nsICertStorage::STATE_NO_FILTER: + filterCoversCertificate = false; + return Success; + default: + MOZ_LOG(gCertVerifierLog, LogLevel::Debug, + ("NSSCertDBTrustDomain::CheckCRLite: Unknown CRLite revocation " + "state")); + return Result::FATAL_ERROR_LIBRARY_FAILURE; + } +} + +Result NSSCertDBTrustDomain::CheckRevocation( + EndEntityOrCA endEntityOrCA, const CertID& certID, Time time, + Duration validityDuration, + /*optional*/ const Input* stapledOCSPResponse, + /*optional*/ const Input* aiaExtension, + /*optional*/ const Input* sctExtension) { + // Actively distrusted certificates will have already been blocked by + // GetCertTrust. + + MOZ_LOG(gCertVerifierLog, LogLevel::Debug, + ("NSSCertDBTrustDomain: Top of CheckRevocation\n")); + + // None of the revocation methods in this function are consulted for CA + // certificates. Revocation for CAs is handled by GetCertTrust. + if (endEntityOrCA == EndEntityOrCA::MustBeCA) { + return Success; + } + + // Look for an OCSP Authority Information Access URL. Our behavior in + // ConfirmRevocations mode depends on whether a synchronous OCSP + // request is possible. + nsCString aiaLocation(VoidCString()); + if (aiaExtension) { + UniquePLArenaPool arena(PORT_NewArena(DER_DEFAULT_CHUNKSIZE)); + if (!arena) { + return Result::FATAL_ERROR_NO_MEMORY; + } + Result rv = + GetOCSPAuthorityInfoAccessLocation(arena, *aiaExtension, aiaLocation); + if (rv != Success) { + return rv; + } + } + + bool crliteCoversCertificate = false; + Result crliteResult = Success; + if (mCRLiteMode != CRLiteMode::Disabled && sctExtension) { + crliteResult = + CheckRevocationByCRLite(certID, *sctExtension, crliteCoversCertificate); + + // If CheckCRLite returned an error other than "revoked certificate", + // propagate that error. + if (crliteResult != Success && + crliteResult != Result::ERROR_REVOKED_CERTIFICATE) { + return crliteResult; + } + + if (crliteCoversCertificate) { + Telemetry::AccumulateCategorical( + Telemetry::LABELS_CERT_REVOCATION_MECHANISMS::CRLite); + // If we don't return here we will consult OCSP. + // In Enforce CRLite mode we can return "Revoked" or "Not Revoked" + // without consulting OCSP. + if (mCRLiteMode == CRLiteMode::Enforce) { + return crliteResult; + } + // If we don't have a URL for an OCSP responder, then we can return any + // result ConfirmRevocations mode. Note that we might have a + // stapled or cached OCSP response which we ignore in this case. + if (mCRLiteMode == CRLiteMode::ConfirmRevocations && + aiaLocation.IsVoid()) { + return crliteResult; + } + // In ConfirmRevocations mode we can return "Not Revoked" + // without consulting OCSP. + if (mCRLiteMode == CRLiteMode::ConfirmRevocations && + crliteResult == Success) { + return Success; + } + } + } + + bool ocspSoftFailure = false; + Result ocspResult = CheckRevocationByOCSP( + certID, time, validityDuration, aiaLocation, crliteCoversCertificate, + crliteResult, stapledOCSPResponse, ocspSoftFailure); + + // In ConfirmRevocations mode we treat any OCSP failure as confirmation + // of a CRLite revoked result. + if (crliteCoversCertificate && + crliteResult == Result::ERROR_REVOKED_CERTIFICATE && + mCRLiteMode == CRLiteMode::ConfirmRevocations && + (ocspResult != Success || ocspSoftFailure)) { + return Result::ERROR_REVOKED_CERTIFICATE; + } + + MOZ_LOG(gCertVerifierLog, LogLevel::Debug, + ("NSSCertDBTrustDomain: end of CheckRevocation")); + + return ocspResult; +} + +Result NSSCertDBTrustDomain::CheckRevocationByCRLite( + const CertID& certID, const Input& sctExtension, + /*out*/ bool& crliteCoversCertificate) { + crliteCoversCertificate = false; + MOZ_LOG(gCertVerifierLog, LogLevel::Debug, + ("NSSCertDBTrustDomain::CheckRevocation: checking CRLite")); + nsTArray<uint8_t> issuerSubjectPublicKeyInfoBytes; + issuerSubjectPublicKeyInfoBytes.AppendElements( + certID.issuerSubjectPublicKeyInfo.UnsafeGetData(), + certID.issuerSubjectPublicKeyInfo.GetLength()); + nsTArray<uint8_t> serialNumberBytes; + serialNumberBytes.AppendElements(certID.serialNumber.UnsafeGetData(), + certID.serialNumber.GetLength()); + // The CRLite stash is essentially a subset of a collection of CRLs, so if + // it says a certificate is revoked, it is. + Result rv = + CheckCRLiteStash(issuerSubjectPublicKeyInfoBytes, serialNumberBytes); + if (rv != Success) { + crliteCoversCertificate = (rv == Result::ERROR_REVOKED_CERTIFICATE); + return rv; + } + + nsTArray<uint8_t> issuerBytes; + issuerBytes.AppendElements(certID.issuer.UnsafeGetData(), + certID.issuer.GetLength()); + + nsTArray<RefPtr<nsICRLiteTimestamp>> timestamps; + rv = BuildCRLiteTimestampArray(sctExtension, timestamps); + if (rv != Success) { + MOZ_LOG(gCertVerifierLog, LogLevel::Debug, + ("decoding SCT extension failed - CRLite will be not be " + "consulted")); + return Success; + } + return CheckCRLite(issuerBytes, issuerSubjectPublicKeyInfoBytes, + serialNumberBytes, timestamps, crliteCoversCertificate); +} + +Result NSSCertDBTrustDomain::CheckRevocationByOCSP( + const CertID& certID, Time time, Duration validityDuration, + const nsCString& aiaLocation, const bool crliteCoversCertificate, + const Result crliteResult, + /*optional*/ const Input* stapledOCSPResponse, + /*out*/ bool& softFailure) { + softFailure = false; + const uint16_t maxOCSPLifetimeInDays = 10; + // If we have a stapled OCSP response then the verification of that response + // determines the result unless the OCSP response is expired. We make an + // exception for expired responses because some servers, nginx in particular, + // are known to serve expired responses due to bugs. + // We keep track of the result of verifying the stapled response but don't + // immediately return failure if the response has expired. + Result stapledOCSPResponseResult = Success; + if (stapledOCSPResponse) { + bool expired; + uint32_t ageInHours; + stapledOCSPResponseResult = VerifyAndMaybeCacheEncodedOCSPResponse( + certID, time, maxOCSPLifetimeInDays, *stapledOCSPResponse, + ResponseWasStapled, expired, ageInHours); + Telemetry::AccumulateCategorical( + Telemetry::LABELS_CERT_REVOCATION_MECHANISMS::StapledOCSP); + if (stapledOCSPResponseResult == Success) { + // stapled OCSP response present and good + mOCSPStaplingStatus = CertVerifier::OCSP_STAPLING_GOOD; + MOZ_LOG(gCertVerifierLog, LogLevel::Debug, + ("NSSCertDBTrustDomain: stapled OCSP response: good")); + return Success; + } + if (stapledOCSPResponseResult == Result::ERROR_OCSP_OLD_RESPONSE || + expired) { + // stapled OCSP response present but expired + mOCSPStaplingStatus = CertVerifier::OCSP_STAPLING_EXPIRED; + MOZ_LOG(gCertVerifierLog, LogLevel::Debug, + ("NSSCertDBTrustDomain: expired stapled OCSP response")); + } else if (stapledOCSPResponseResult == + Result::ERROR_OCSP_TRY_SERVER_LATER || + stapledOCSPResponseResult == + Result::ERROR_OCSP_INVALID_SIGNING_CERT) { + // Stapled OCSP response present but invalid for a small number of reasons + // CAs/servers commonly get wrong. This will be treated similarly to an + // expired stapled response. + mOCSPStaplingStatus = CertVerifier::OCSP_STAPLING_INVALID; + MOZ_LOG(gCertVerifierLog, LogLevel::Debug, + ("NSSCertDBTrustDomain: stapled OCSP response: " + "failure (allowed for compatibility)")); + } else { + // stapled OCSP response present but invalid for some reason + mOCSPStaplingStatus = CertVerifier::OCSP_STAPLING_INVALID; + MOZ_LOG(gCertVerifierLog, LogLevel::Debug, + ("NSSCertDBTrustDomain: stapled OCSP response: failure")); + return stapledOCSPResponseResult; + } + } else { + // no stapled OCSP response + mOCSPStaplingStatus = CertVerifier::OCSP_STAPLING_NONE; + MOZ_LOG(gCertVerifierLog, LogLevel::Debug, + ("NSSCertDBTrustDomain: no stapled OCSP response")); + } + + Result cachedResponseResult = Success; + Time cachedResponseValidThrough(Time::uninitialized); + bool cachedResponsePresent = + mOCSPCache.Get(certID, mOriginAttributes, cachedResponseResult, + cachedResponseValidThrough); + if (cachedResponsePresent) { + Telemetry::AccumulateCategorical( + Telemetry::LABELS_CERT_REVOCATION_MECHANISMS::CachedOCSP); + if (cachedResponseResult == Success && cachedResponseValidThrough >= time) { + MOZ_LOG(gCertVerifierLog, LogLevel::Debug, + ("NSSCertDBTrustDomain: cached OCSP response: good")); + return Success; + } + // If we have a cached revoked response, use it. + if (cachedResponseResult == Result::ERROR_REVOKED_CERTIFICATE) { + MOZ_LOG(gCertVerifierLog, LogLevel::Debug, + ("NSSCertDBTrustDomain: cached OCSP response: revoked")); + return Result::ERROR_REVOKED_CERTIFICATE; + } + // The cached response may indicate an unknown certificate or it may be + // expired. Don't return with either of these statuses yet - we may be + // able to fetch a more recent one. + MOZ_LOG(gCertVerifierLog, LogLevel::Debug, + ("NSSCertDBTrustDomain: cached OCSP response: error %d", + static_cast<int>(cachedResponseResult))); + // When a good cached response has expired, it is more convenient + // to convert that to an error code and just deal with + // cachedResponseResult from here on out. + if (cachedResponseResult == Success && cachedResponseValidThrough < time) { + cachedResponseResult = Result::ERROR_OCSP_OLD_RESPONSE; + } + // We may have a cached indication of server failure. Ignore it if + // it has expired. + if (cachedResponseResult != Success && + cachedResponseResult != Result::ERROR_OCSP_UNKNOWN_CERT && + cachedResponseResult != Result::ERROR_OCSP_OLD_RESPONSE && + cachedResponseValidThrough < time) { + cachedResponseResult = Success; + cachedResponsePresent = false; + } + } else { + MOZ_LOG(gCertVerifierLog, LogLevel::Debug, + ("NSSCertDBTrustDomain: no cached OCSP response")); + } + // At this point, if and only if cachedErrorResult is Success, there was no + // cached response. + MOZ_ASSERT((!cachedResponsePresent && cachedResponseResult == Success) || + (cachedResponsePresent && cachedResponseResult != Success)); + + // TODO: We still need to handle the fallback for invalid stapled responses. + // But, if/when we disable OCSP fetching by default, it would be ambiguous + // whether security.OCSP.enable==0 means "I want the default" or "I really + // never want you to ever fetch OCSP." + // Additionally, this doesn't properly handle OCSP-must-staple when OCSP + // fetching is disabled. + Duration shortLifetime(mCertShortLifetimeInDays * Time::ONE_DAY_IN_SECONDS); + if (validityDuration < shortLifetime) { + Telemetry::AccumulateCategorical( + Telemetry::LABELS_CERT_REVOCATION_MECHANISMS::ShortValidity); + } + if ((mOCSPFetching == NeverFetchOCSP) || (validityDuration < shortLifetime)) { + // We're not going to be doing any fetching, so if there was a cached + // "unknown" response, say so. + if (cachedResponseResult == Result::ERROR_OCSP_UNKNOWN_CERT) { + return Result::ERROR_OCSP_UNKNOWN_CERT; + } + // If we're doing hard-fail, we want to know if we have a cached response + // that has expired. + if (mOCSPFetching == FetchOCSPForDVHardFail && + cachedResponseResult == Result::ERROR_OCSP_OLD_RESPONSE) { + return Result::ERROR_OCSP_OLD_RESPONSE; + } + + softFailure = true; + return Success; + } + + if (mOCSPFetching == LocalOnlyOCSPForEV) { + if (cachedResponseResult != Success) { + return cachedResponseResult; + } + return Result::ERROR_OCSP_UNKNOWN_CERT; + } + + if (aiaLocation.IsVoid()) { + if (mOCSPFetching == FetchOCSPForEV || + cachedResponseResult == Result::ERROR_OCSP_UNKNOWN_CERT) { + return Result::ERROR_OCSP_UNKNOWN_CERT; + } + if (cachedResponseResult == Result::ERROR_OCSP_OLD_RESPONSE) { + return Result::ERROR_OCSP_OLD_RESPONSE; + } + if (stapledOCSPResponseResult != Success) { + return stapledOCSPResponseResult; + } + + // Nothing to do if we don't have an OCSP responder URI for the cert; just + // assume it is good. Note that this is the confusing, but intended, + // interpretation of "strict" revocation checking in the face of a + // certificate that lacks an OCSP responder URI. There's no need to set + // softFailure here---we check for the presence of an AIA before attempting + // OCSP when CRLite is configured in confirm revocations mode. + return Success; + } + + if (cachedResponseResult == Success || + cachedResponseResult == Result::ERROR_OCSP_UNKNOWN_CERT || + cachedResponseResult == Result::ERROR_OCSP_OLD_RESPONSE) { + // Only send a request to, and process a response from, the server if we + // didn't have a cached indication of failure. Also, don't keep requesting + // responses from a failing server. + return SynchronousCheckRevocationWithServer( + certID, aiaLocation, time, maxOCSPLifetimeInDays, cachedResponseResult, + stapledOCSPResponseResult, crliteCoversCertificate, crliteResult, + softFailure); + } + + return HandleOCSPFailure(cachedResponseResult, stapledOCSPResponseResult, + cachedResponseResult, softFailure); +} + +Result NSSCertDBTrustDomain::SynchronousCheckRevocationWithServer( + const CertID& certID, const nsCString& aiaLocation, Time time, + uint16_t maxOCSPLifetimeInDays, const Result cachedResponseResult, + const Result stapledOCSPResponseResult, const bool crliteCoversCertificate, + const Result crliteResult, /*out*/ bool& softFailure) { + if (AppShutdown::IsInOrBeyond(ShutdownPhase::AppShutdownConfirmed)) { + return Result::FATAL_ERROR_LIBRARY_FAILURE; + } + + uint8_t ocspRequestBytes[OCSP_REQUEST_MAX_LENGTH]; + size_t ocspRequestLength; + Result rv = CreateEncodedOCSPRequest(*this, certID, ocspRequestBytes, + ocspRequestLength); + if (rv != Success) { + return rv; + } + + Vector<uint8_t> ocspResponse; + Input response; + mOCSPFetchStatus = OCSPFetchStatus::Fetched; + rv = DoOCSPRequest(aiaLocation, mOriginAttributes, ocspRequestBytes, + ocspRequestLength, GetOCSPTimeout(), ocspResponse); + Telemetry::AccumulateCategorical( + Telemetry::LABELS_CERT_REVOCATION_MECHANISMS::OCSP); + if (rv == Success && + response.Init(ocspResponse.begin(), ocspResponse.length()) != Success) { + rv = Result::ERROR_OCSP_MALFORMED_RESPONSE; // too big + } + + if (rv != Success) { + Time timeout(time); + if (timeout.AddSeconds(ServerFailureDelaySeconds) != Success) { + return Result::FATAL_ERROR_LIBRARY_FAILURE; // integer overflow + } + + Result cacheRV = + mOCSPCache.Put(certID, mOriginAttributes, rv, time, timeout); + if (cacheRV != Success) { + return cacheRV; + } + + if (crliteCoversCertificate) { + if (crliteResult == Success) { + // CRLite says the certificate is OK, but OCSP fetching failed. + Telemetry::AccumulateCategorical( + Telemetry::LABELS_CRLITE_VS_OCSP_RESULT::CRLiteOkOCSPFail); + } else { + // CRLite says the certificate is revoked, but OCSP fetching failed. + Telemetry::AccumulateCategorical( + Telemetry::LABELS_CRLITE_VS_OCSP_RESULT::CRLiteRevOCSPFail); + } + } + + return HandleOCSPFailure(cachedResponseResult, stapledOCSPResponseResult, + rv, softFailure); + } + + // If the response from the network has expired but indicates a revoked + // or unknown certificate, PR_GetError() will return the appropriate error. + // We actually ignore expired here. + bool expired; + uint32_t ageInHours; + rv = VerifyAndMaybeCacheEncodedOCSPResponse( + certID, time, maxOCSPLifetimeInDays, response, ResponseIsFromNetwork, + expired, ageInHours); + + // If the CRLite filter covers the certificate, compare the CRLite result + // with the OCSP fetching result. OCSP may have succeeded, said the + // certificate is revoked, said the certificate doesn't exist, or it may have + // failed for a reason that results in a "soft fail" (i.e. there is no + // indication that the certificate is either definitely revoked or definitely + // not revoked, so for usability, revocation checking says the certificate is + // valid by default). + if (crliteCoversCertificate) { + if (rv == Success) { + if (crliteResult == Success) { + // CRLite and OCSP fetching agree the certificate is OK. + Telemetry::AccumulateCategorical( + Telemetry::LABELS_CRLITE_VS_OCSP_RESULT::CRLiteOkOCSPOk); + } else { + // CRLite says the certificate is revoked, but OCSP says it is OK. + Telemetry::AccumulateCategorical( + Telemetry::LABELS_CRLITE_VS_OCSP_RESULT::CRLiteRevOCSPOk); + + if (mCRLiteMode == CRLiteMode::ConfirmRevocations) { + Telemetry::Accumulate(Telemetry::OCSP_AGE_AT_CRLITE_OVERRIDE, + ageInHours); + } + } + } else if (rv == Result::ERROR_REVOKED_CERTIFICATE) { + if (crliteResult == Success) { + // CRLite says the certificate is OK, but OCSP says it is revoked. + Telemetry::AccumulateCategorical( + Telemetry::LABELS_CRLITE_VS_OCSP_RESULT::CRLiteOkOCSPRev); + } else { + // CRLite and OCSP fetching agree the certificate is revoked. + Telemetry::AccumulateCategorical( + Telemetry::LABELS_CRLITE_VS_OCSP_RESULT::CRLiteRevOCSPRev); + } + } else if (rv == Result::ERROR_OCSP_UNKNOWN_CERT) { + if (crliteResult == Success) { + // CRLite says the certificate is OK, but OCSP says it doesn't exist. + Telemetry::AccumulateCategorical( + Telemetry::LABELS_CRLITE_VS_OCSP_RESULT::CRLiteOkOCSPUnk); + } else { + // CRLite says the certificate is revoked, but OCSP says it doesn't + // exist. + Telemetry::AccumulateCategorical( + Telemetry::LABELS_CRLITE_VS_OCSP_RESULT::CRLiteRevOCSPUnk); + } + } else { + if (crliteResult == Success) { + // CRLite says the certificate is OK, but OCSP encountered a soft-fail + // error. + Telemetry::AccumulateCategorical( + Telemetry::LABELS_CRLITE_VS_OCSP_RESULT::CRLiteOkOCSPSoft); + } else { + // CRLite says the certificate is revoked, but OCSP encountered a + // soft-fail error. + Telemetry::AccumulateCategorical( + Telemetry::LABELS_CRLITE_VS_OCSP_RESULT::CRLiteRevOCSPSoft); + } + } + } + + if (rv == Success || mOCSPFetching != FetchOCSPForDVSoftFail) { + MOZ_LOG(gCertVerifierLog, LogLevel::Debug, + ("NSSCertDBTrustDomain: returning after " + "VerifyEncodedOCSPResponse")); + return rv; + } + + if (rv == Result::ERROR_OCSP_UNKNOWN_CERT || + rv == Result::ERROR_REVOKED_CERTIFICATE) { + return rv; + } + + if (stapledOCSPResponseResult != Success) { + MOZ_LOG(gCertVerifierLog, LogLevel::Debug, + ("NSSCertDBTrustDomain: returning SECFailure from expired/invalid " + "stapled response after OCSP request verification failure")); + return stapledOCSPResponseResult; + } + + softFailure = true; + return Success; // Soft fail -> success :( +} + +Result NSSCertDBTrustDomain::HandleOCSPFailure( + const Result cachedResponseResult, const Result stapledOCSPResponseResult, + const Result error, /*out*/ bool& softFailure) { + if (mOCSPFetching != FetchOCSPForDVSoftFail) { + MOZ_LOG(gCertVerifierLog, LogLevel::Debug, + ("NSSCertDBTrustDomain: returning SECFailure after OCSP request " + "failure")); + return error; + } + + if (cachedResponseResult == Result::ERROR_OCSP_UNKNOWN_CERT) { + MOZ_LOG(gCertVerifierLog, LogLevel::Debug, + ("NSSCertDBTrustDomain: returning SECFailure from cached response " + "after OCSP request failure")); + return cachedResponseResult; + } + + if (stapledOCSPResponseResult != Success) { + MOZ_LOG(gCertVerifierLog, LogLevel::Debug, + ("NSSCertDBTrustDomain: returning SECFailure from expired/invalid " + "stapled response after OCSP request failure")); + return stapledOCSPResponseResult; + } + + MOZ_LOG(gCertVerifierLog, LogLevel::Debug, + ("NSSCertDBTrustDomain: returning SECSuccess after OCSP request " + "failure")); + + softFailure = true; + return Success; // Soft fail -> success :( +} + +Result NSSCertDBTrustDomain::VerifyAndMaybeCacheEncodedOCSPResponse( + const CertID& certID, Time time, uint16_t maxLifetimeInDays, + Input encodedResponse, EncodedResponseSource responseSource, + /*out*/ bool& expired, + /*out*/ uint32_t& ageInHours) { + Time thisUpdate(Time::uninitialized); + Time validThrough(Time::uninitialized); + + Result rv = VerifyEncodedOCSPResponse(*this, certID, time, maxLifetimeInDays, + encodedResponse, expired, &thisUpdate, + &validThrough); + // If a response was stapled and expired, we don't want to cache it. Return + // early to simplify the logic here. + if (responseSource == ResponseWasStapled && expired) { + MOZ_ASSERT(rv != Success); + return rv; + } + // validThrough is only trustworthy if the response successfully verifies + // or it indicates a revoked or unknown certificate. + // If this isn't the case, store an indication of failure (to prevent + // repeatedly requesting a response from a failing server). + if (rv != Success && rv != Result::ERROR_REVOKED_CERTIFICATE && + rv != Result::ERROR_OCSP_UNKNOWN_CERT) { + validThrough = time; + if (validThrough.AddSeconds(ServerFailureDelaySeconds) != Success) { + return Result::FATAL_ERROR_LIBRARY_FAILURE; // integer overflow + } + } + // The `thisUpdate` field holds the latest time at which the server knew the + // response was correct. The age of the response is the time that has elapsed + // since. We only use this for the telemetry defined in Bug 1794479. + uint64_t timeInSeconds; + uint64_t thisUpdateInSeconds; + uint64_t ageInSeconds; + SecondsSinceEpochFromTime(time, &timeInSeconds); + SecondsSinceEpochFromTime(thisUpdate, &thisUpdateInSeconds); + if (timeInSeconds >= thisUpdateInSeconds) { + ageInSeconds = timeInSeconds - thisUpdateInSeconds; + // ageInHours is 32 bits because of the telemetry api. + if (ageInSeconds > UINT32_MAX) { + // We could divide by 3600 before checking the UINT32_MAX bound, but if + // ageInSeconds is more than UINT32_MAX then there's been some sort of + // error. + ageInHours = UINT32_MAX; + } else { + // We start at 1 and divide with truncation to reserve ageInHours=0 for + // the case where `thisUpdate` is in the future. + ageInHours = 1 + ageInSeconds / (60 * 60); + } + } else { + ageInHours = 0; + } + if (responseSource == ResponseIsFromNetwork || rv == Success || + rv == Result::ERROR_REVOKED_CERTIFICATE || + rv == Result::ERROR_OCSP_UNKNOWN_CERT) { + MOZ_LOG(gCertVerifierLog, LogLevel::Debug, + ("NSSCertDBTrustDomain: caching OCSP response")); + Result putRV = + mOCSPCache.Put(certID, mOriginAttributes, rv, thisUpdate, validThrough); + if (putRV != Success) { + return putRV; + } + } + + return rv; +} + +SECStatus GetCertDistrustAfterValue(const SECItem* distrustItem, + PRTime& distrustTime) { + if (!distrustItem || !distrustItem->data || distrustItem->len != 13) { + PR_SetError(SEC_ERROR_INVALID_ARGS, 0); + return SECFailure; + } + return DER_DecodeTimeChoice(&distrustTime, distrustItem); +} + +SECStatus GetCertNotBeforeValue(const CERTCertificate* cert, + PRTime& distrustTime) { + return DER_DecodeTimeChoice(&distrustTime, &cert->validity.notBefore); +} + +nsresult isDistrustedCertificateChain( + const nsTArray<nsTArray<uint8_t>>& certArray, + const SECTrustType certDBTrustType, bool& isDistrusted) { + if (certArray.Length() == 0) { + return NS_ERROR_FAILURE; + } + + // Set the default result to be distrusted. + isDistrusted = true; + + // There is no distrust to set if the certDBTrustType is not SSL or Email. + if (certDBTrustType != trustSSL && certDBTrustType != trustEmail) { + isDistrusted = false; + return NS_OK; + } + + SECStatus runnableRV = SECFailure; + + RefPtr<Runnable> isDistrustedChainTask = + NS_NewRunnableFunction("isDistrustedCertificateChain", [&]() { + if (AppShutdown::IsInOrBeyond(ShutdownPhase::AppShutdownConfirmed)) { + runnableRV = SECFailure; + return; + } + // Allocate objects and retreive the root and end-entity certificates. + CERTCertDBHandle* certDB(CERT_GetDefaultCertDB()); + const nsTArray<uint8_t>& certRootDER = certArray.LastElement(); + SECItem certRootDERItem = { + siBuffer, const_cast<unsigned char*>(certRootDER.Elements()), + AssertedCast<unsigned int>(certRootDER.Length())}; + UniqueCERTCertificate certRoot(CERT_NewTempCertificate( + certDB, &certRootDERItem, nullptr, false, true)); + if (!certRoot) { + runnableRV = SECFailure; + return; + } + const nsTArray<uint8_t>& certLeafDER = certArray.ElementAt(0); + SECItem certLeafDERItem = { + siBuffer, const_cast<unsigned char*>(certLeafDER.Elements()), + AssertedCast<unsigned int>(certLeafDER.Length())}; + UniqueCERTCertificate certLeaf(CERT_NewTempCertificate( + certDB, &certLeafDERItem, nullptr, false, true)); + if (!certLeaf) { + runnableRV = SECFailure; + return; + } + + // Set isDistrusted to false if there is no distrust for the root. + if (!certRoot->distrust) { + isDistrusted = false; + runnableRV = SECSuccess; + return; + } + + // Create a pointer to refer to the selected distrust struct. + SECItem* distrustPtr = nullptr; + if (certDBTrustType == trustSSL) { + distrustPtr = &certRoot->distrust->serverDistrustAfter; + } + if (certDBTrustType == trustEmail) { + distrustPtr = &certRoot->distrust->emailDistrustAfter; + } + + // Get validity for the current end-entity certificate + // and get the distrust field for the root certificate. + PRTime certRootDistrustAfter; + PRTime certLeafNotBefore; + + runnableRV = + GetCertDistrustAfterValue(distrustPtr, certRootDistrustAfter); + if (runnableRV != SECSuccess) { + return; + } + + runnableRV = GetCertNotBeforeValue(certLeaf.get(), certLeafNotBefore); + if (runnableRV != SECSuccess) { + return; + } + + // Compare the validity of the end-entity certificate with + // the distrust value of the root. + if (certLeafNotBefore <= certRootDistrustAfter) { + isDistrusted = false; + } + + runnableRV = SECSuccess; + }); + nsCOMPtr<nsIEventTarget> socketThread( + do_GetService(NS_SOCKETTRANSPORTSERVICE_CONTRACTID)); + if (!socketThread) { + return NS_ERROR_FAILURE; + } + nsresult rv = + SyncRunnable::DispatchToThread(socketThread, isDistrustedChainTask); + if (NS_FAILED(rv) || runnableRV != SECSuccess) { + return NS_ERROR_FAILURE; + } + return NS_OK; +} + +Result NSSCertDBTrustDomain::IsChainValid(const DERArray& reversedDERArray, + Time time, + const CertPolicyId& requiredPolicy) { + MOZ_LOG(gCertVerifierLog, LogLevel::Debug, + ("NSSCertDBTrustDomain: IsChainValid")); + + size_t numCerts = reversedDERArray.GetLength(); + if (numCerts < 1) { + return Result::FATAL_ERROR_LIBRARY_FAILURE; + } + nsTArray<nsTArray<uint8_t>> certArray; + for (size_t i = numCerts; i > 0; --i) { + const Input* derInput = reversedDERArray.GetDER(i - 1); + certArray.EmplaceBack(derInput->UnsafeGetData(), derInput->GetLength()); + } + + const nsTArray<uint8_t>& rootBytes = certArray.LastElement(); + Input rootInput; + Result rv = rootInput.Init(rootBytes.Elements(), rootBytes.Length()); + if (rv != Success) { + return rv; + } + rv = IsCertBuiltInRoot(rootInput, mIsBuiltChainRootBuiltInRoot); + if (rv != Result::Success) { + return rv; + } + nsresult nsrv; + // If mHostname isn't set, we're not verifying in the context of a TLS + // handshake, so don't verify key pinning in those cases. + if (mHostname) { + nsTArray<Span<const uint8_t>> derCertSpanList; + for (const auto& certDER : certArray) { + derCertSpanList.EmplaceBack(certDER.Elements(), certDER.Length()); + } + + bool chainHasValidPins; + nsrv = PublicKeyPinningService::ChainHasValidPins( + derCertSpanList, mHostname, time, mIsBuiltChainRootBuiltInRoot, + chainHasValidPins, mPinningTelemetryInfo); + if (NS_FAILED(nsrv)) { + return Result::FATAL_ERROR_LIBRARY_FAILURE; + } + if (!chainHasValidPins) { + return Result::ERROR_KEY_PINNING_FAILURE; + } + } + + // Check that the childs' certificate NotBefore date is anterior to + // the NotAfter value of the parent when the root is a builtin. + if (mIsBuiltChainRootBuiltInRoot) { + bool isDistrusted; + nsrv = + isDistrustedCertificateChain(certArray, mCertDBTrustType, isDistrusted); + if (NS_FAILED(nsrv)) { + return Result::FATAL_ERROR_LIBRARY_FAILURE; + } + if (isDistrusted) { + return Result::ERROR_UNTRUSTED_ISSUER; + } + } + + // See bug 1434300. If the root is a Symantec root, see if we distrust this + // path. Since we already have the root available, we can check that cheaply + // here before proceeding with the rest of the algorithm. + + // This algorithm only applies if we are verifying in the context of a TLS + // handshake. To determine this, we check mHostname: If it isn't set, this is + // not TLS, so don't run the algorithm. + const nsTArray<uint8_t>& rootCertDER = certArray.LastElement(); + if (mHostname && CertDNIsInList(rootCertDER, RootSymantecDNs)) { + if (numCerts <= 1) { + // This chain is supposed to be complete, so this is an error. + return Result::ERROR_ADDITIONAL_POLICY_CONSTRAINT_FAILED; + } + nsTArray<Input> intCerts; + + for (size_t i = 1; i < certArray.Length() - 1; ++i) { + const nsTArray<uint8_t>& certBytes = certArray.ElementAt(i); + Input certInput; + rv = certInput.Init(certBytes.Elements(), certBytes.Length()); + if (rv != Success) { + return Result::FATAL_ERROR_LIBRARY_FAILURE; + } + + intCerts.EmplaceBack(certInput); + } + + bool isDistrusted = false; + nsrv = CheckForSymantecDistrust(intCerts, RootAppleAndGoogleSPKIs, + isDistrusted); + if (NS_FAILED(nsrv)) { + return Result::FATAL_ERROR_LIBRARY_FAILURE; + } + if (isDistrusted) { + mSawDistrustedCAByPolicyError = true; + return Result::ERROR_ADDITIONAL_POLICY_CONSTRAINT_FAILED; + } + } + + mBuiltChain = std::move(certArray); + + return Success; +} + +Result NSSCertDBTrustDomain::CheckSignatureDigestAlgorithm( + DigestAlgorithm aAlg, EndEntityOrCA /*endEntityOrCA*/, Time /*notBefore*/) { + switch (aAlg) { + case DigestAlgorithm::sha256: // fall through + case DigestAlgorithm::sha384: // fall through + case DigestAlgorithm::sha512: + return Success; + case DigestAlgorithm::sha1: + return Result::ERROR_CERT_SIGNATURE_ALGORITHM_DISABLED; + } + return Result::FATAL_ERROR_LIBRARY_FAILURE; +} + +Result NSSCertDBTrustDomain::CheckRSAPublicKeyModulusSizeInBits( + EndEntityOrCA /*endEntityOrCA*/, unsigned int modulusSizeInBits) { + if (modulusSizeInBits < mMinRSABits) { + return Result::ERROR_INADEQUATE_KEY_SIZE; + } + return Success; +} + +Result NSSCertDBTrustDomain::VerifyRSAPKCS1SignedData( + Input data, DigestAlgorithm digestAlgorithm, Input signature, + Input subjectPublicKeyInfo) { + return VerifyRSAPKCS1SignedDataNSS(data, digestAlgorithm, signature, + subjectPublicKeyInfo, mPinArg); +} + +Result NSSCertDBTrustDomain::VerifyRSAPSSSignedData( + Input data, DigestAlgorithm digestAlgorithm, Input signature, + Input subjectPublicKeyInfo) { + return VerifyRSAPSSSignedDataNSS(data, digestAlgorithm, signature, + subjectPublicKeyInfo, mPinArg); +} + +Result NSSCertDBTrustDomain::CheckECDSACurveIsAcceptable( + EndEntityOrCA /*endEntityOrCA*/, NamedCurve curve) { + switch (curve) { + case NamedCurve::secp256r1: // fall through + case NamedCurve::secp384r1: // fall through + case NamedCurve::secp521r1: + return Success; + } + + return Result::ERROR_UNSUPPORTED_ELLIPTIC_CURVE; +} + +Result NSSCertDBTrustDomain::VerifyECDSASignedData( + Input data, DigestAlgorithm digestAlgorithm, Input signature, + Input subjectPublicKeyInfo) { + return VerifyECDSASignedDataNSS(data, digestAlgorithm, signature, + subjectPublicKeyInfo, mPinArg); +} + +Result NSSCertDBTrustDomain::CheckValidityIsAcceptable( + Time notBefore, Time notAfter, EndEntityOrCA endEntityOrCA, + KeyPurposeId keyPurpose) { + if (endEntityOrCA != EndEntityOrCA::MustBeEndEntity) { + return Success; + } + if (keyPurpose == KeyPurposeId::id_kp_OCSPSigning) { + return Success; + } + + Duration DURATION_27_MONTHS_PLUS_SLOP((2 * 365 + 3 * 31 + 7) * + Time::ONE_DAY_IN_SECONDS); + Duration maxValidityDuration(UINT64_MAX); + Duration validityDuration(notBefore, notAfter); + + switch (mValidityCheckingMode) { + case ValidityCheckingMode::CheckingOff: + return Success; + case ValidityCheckingMode::CheckForEV: + // The EV Guidelines say the maximum is 27 months, but we use a slightly + // higher limit here to (hopefully) minimize compatibility breakage. + maxValidityDuration = DURATION_27_MONTHS_PLUS_SLOP; + break; + default: + MOZ_ASSERT_UNREACHABLE( + "We're not handling every ValidityCheckingMode type"); + } + + if (validityDuration > maxValidityDuration) { + return Result::ERROR_VALIDITY_TOO_LONG; + } + + return Success; +} + +Result NSSCertDBTrustDomain::NetscapeStepUpMatchesServerAuth( + Time notBefore, + /*out*/ bool& matches) { + // (new Date("2015-08-23T00:00:00Z")).getTime() / 1000 + static const Time AUGUST_23_2015 = TimeFromEpochInSeconds(1440288000); + // (new Date("2016-08-23T00:00:00Z")).getTime() / 1000 + static const Time AUGUST_23_2016 = TimeFromEpochInSeconds(1471910400); + + switch (mNetscapeStepUpPolicy) { + case NetscapeStepUpPolicy::AlwaysMatch: + matches = true; + return Success; + case NetscapeStepUpPolicy::MatchBefore23August2016: + matches = notBefore < AUGUST_23_2016; + return Success; + case NetscapeStepUpPolicy::MatchBefore23August2015: + matches = notBefore < AUGUST_23_2015; + return Success; + case NetscapeStepUpPolicy::NeverMatch: + matches = false; + return Success; + default: + MOZ_ASSERT_UNREACHABLE("unhandled NetscapeStepUpPolicy type"); + } + return Result::FATAL_ERROR_LIBRARY_FAILURE; +} + +void NSSCertDBTrustDomain::ResetAccumulatedState() { + mOCSPStaplingStatus = CertVerifier::OCSP_STAPLING_NEVER_CHECKED; + mSCTListFromOCSPStapling = nullptr; + mSCTListFromCertificate = nullptr; + mSawDistrustedCAByPolicyError = false; + mIsBuiltChainRootBuiltInRoot = false; +} + +static Input SECItemToInput(const UniqueSECItem& item) { + Input result; + if (item) { + MOZ_ASSERT(item->type == siBuffer); + Result rv = result.Init(item->data, item->len); + // As used here, |item| originally comes from an Input, + // so there should be no issues converting it back. + MOZ_ASSERT(rv == Success); + Unused << rv; // suppresses warnings in release builds + } + return result; +} + +Input NSSCertDBTrustDomain::GetSCTListFromCertificate() const { + return SECItemToInput(mSCTListFromCertificate); +} + +Input NSSCertDBTrustDomain::GetSCTListFromOCSPStapling() const { + return SECItemToInput(mSCTListFromOCSPStapling); +} + +bool NSSCertDBTrustDomain::GetIsBuiltChainRootBuiltInRoot() const { + return mIsBuiltChainRootBuiltInRoot; +} + +bool NSSCertDBTrustDomain::GetIsErrorDueToDistrustedCAPolicy() const { + return mSawDistrustedCAByPolicyError; +} + +void NSSCertDBTrustDomain::NoteAuxiliaryExtension(AuxiliaryExtension extension, + Input extensionData) { + UniqueSECItem* out = nullptr; + switch (extension) { + case AuxiliaryExtension::EmbeddedSCTList: + out = &mSCTListFromCertificate; + break; + case AuxiliaryExtension::SCTListFromOCSPResponse: + out = &mSCTListFromOCSPStapling; + break; + default: + MOZ_ASSERT_UNREACHABLE("unhandled AuxiliaryExtension"); + } + if (out) { + SECItem extensionDataItem = UnsafeMapInputToSECItem(extensionData); + out->reset(SECITEM_DupItem(&extensionDataItem)); + } +} + +SECStatus InitializeNSS(const nsACString& dir, NSSDBConfig nssDbConfig, + PKCS11DBConfig pkcs11DbConfig) { + MOZ_ASSERT(NS_IsMainThread()); + + // The NSS_INIT_NOROOTINIT flag turns off the loading of the root certs + // module by NSS_Initialize because we will load it in LoadLoadableRoots + // later. It also allows us to work around a bug in the system NSS in + // Ubuntu 8.04, which loads any nonexistent "<configdir>/libnssckbi.so" as + // "/usr/lib/nss/libnssckbi.so". + uint32_t flags = NSS_INIT_NOROOTINIT | NSS_INIT_OPTIMIZESPACE; + if (nssDbConfig == NSSDBConfig::ReadOnly) { + flags |= NSS_INIT_READONLY; + } + if (pkcs11DbConfig == PKCS11DBConfig::DoNotLoadModules) { + flags |= NSS_INIT_NOMODDB; + } + nsAutoCString dbTypeAndDirectory("sql:"); + dbTypeAndDirectory.Append(dir); + MOZ_LOG(gCertVerifierLog, LogLevel::Debug, + ("InitializeNSS(%s, %d, %d)", dbTypeAndDirectory.get(), + (int)nssDbConfig, (int)pkcs11DbConfig)); + SECStatus srv = + NSS_Initialize(dbTypeAndDirectory.get(), "", "", SECMOD_DB, flags); + if (srv != SECSuccess) { + return srv; + } + + if (nssDbConfig == NSSDBConfig::ReadWrite) { + UniquePK11SlotInfo slot(PK11_GetInternalKeySlot()); + if (!slot) { + return SECFailure; + } + // If the key DB doesn't have a password set, PK11_NeedUserInit will return + // true. For the SQL DB, we need to set a password or we won't be able to + // import any certificates or change trust settings. + if (PK11_NeedUserInit(slot.get())) { + srv = PK11_InitPin(slot.get(), nullptr, nullptr); + MOZ_ASSERT(srv == SECSuccess); + Unused << srv; + } + } + + return SECSuccess; +} + +void DisableMD5() { + NSS_SetAlgorithmPolicy( + SEC_OID_MD5, 0, + NSS_USE_ALG_IN_CERT_SIGNATURE | NSS_USE_ALG_IN_CMS_SIGNATURE); + NSS_SetAlgorithmPolicy( + SEC_OID_PKCS1_MD5_WITH_RSA_ENCRYPTION, 0, + NSS_USE_ALG_IN_CERT_SIGNATURE | NSS_USE_ALG_IN_CMS_SIGNATURE); + NSS_SetAlgorithmPolicy( + SEC_OID_PKCS5_PBE_WITH_MD5_AND_DES_CBC, 0, + NSS_USE_ALG_IN_CERT_SIGNATURE | NSS_USE_ALG_IN_CMS_SIGNATURE); +} + +// Load a given PKCS#11 module located in the given directory. It will be named +// the given module name. Optionally pass some string parameters to it via +// 'params'. This argument will be provided to C_Initialize when called on the +// module. +// |libraryName| and |dir| are encoded in UTF-8. +bool LoadUserModuleAt(const char* moduleName, const char* libraryName, + const nsCString& dir, /* optional */ const char* params) { + // If a module exists with the same name, make a best effort attempt to delete + // it. Note that it isn't possible to delete the internal module, so checking + // the return value would be detrimental in that case. + int unusedModType; + Unused << SECMOD_DeleteModule(moduleName, &unusedModType); + + nsAutoCString fullLibraryPath; + if (!dir.IsEmpty()) { + fullLibraryPath.Assign(dir); + fullLibraryPath.AppendLiteral(FILE_PATH_SEPARATOR); + } + fullLibraryPath.Append(MOZ_DLL_PREFIX); + fullLibraryPath.Append(libraryName); + fullLibraryPath.Append(MOZ_DLL_SUFFIX); + // Escape the \ and " characters. + fullLibraryPath.ReplaceSubstring("\\", "\\\\"); + fullLibraryPath.ReplaceSubstring("\"", "\\\""); + + nsAutoCString pkcs11ModuleSpec("name=\""); + pkcs11ModuleSpec.Append(moduleName); + pkcs11ModuleSpec.AppendLiteral("\" library=\""); + pkcs11ModuleSpec.Append(fullLibraryPath); + pkcs11ModuleSpec.AppendLiteral("\""); + if (params) { + pkcs11ModuleSpec.AppendLiteral("\" parameters=\""); + pkcs11ModuleSpec.Append(params); + pkcs11ModuleSpec.AppendLiteral("\""); + } + + UniqueSECMODModule userModule(SECMOD_LoadUserModule( + const_cast<char*>(pkcs11ModuleSpec.get()), nullptr, false)); + if (!userModule) { + return false; + } + + if (!userModule->loaded) { + return false; + } + + return true; +} + +const char* kIPCClientCertsModuleName = "IPC Client Cert Module"; + +bool LoadIPCClientCertsModule(const nsCString& dir) { + // The IPC client certs module needs to be able to call back into gecko to be + // able to communicate with the parent process over IPC. This is achieved by + // serializing the addresses of the relevant functions and passing them as an + // extra string parameter that will be available when C_Initialize is called + // on IPC client certs. + nsPrintfCString addrs("%p,%p", DoFindObjects, DoSign); + if (!LoadUserModuleAt(kIPCClientCertsModuleName, "ipcclientcerts", dir, + addrs.get())) { + return false; + } + RunOnShutdown( + []() { + UniqueSECMODModule ipcClientCertsModule( + SECMOD_FindModule(kIPCClientCertsModuleName)); + if (ipcClientCertsModule) { + SECMOD_UnloadUserModule(ipcClientCertsModule.get()); + } + }, + ShutdownPhase::XPCOMWillShutdown); + return true; +} + +const char* kOSClientCertsModuleName = "OS Client Cert Module"; + +bool LoadOSClientCertsModule(const nsCString& dir) { +#ifdef MOZ_WIDGET_COCOA + // osclientcerts requires macOS 10.14 or later + if (!nsCocoaFeatures::OnMojaveOrLater()) { + return false; + } +#endif + nsLiteralCString params = + StaticPrefs::security_osclientcerts_assume_rsa_pss_support() + ? "RSA-PSS"_ns + : ""_ns; + return LoadUserModuleAt(kOSClientCertsModuleName, "osclientcerts", dir, + params.get()); +} + +bool LoadLoadableRoots(const nsCString& dir) { + // Some NSS command-line utilities will load a roots module under the name + // "Root Certs" if there happens to be a `MOZ_DLL_PREFIX "nssckbi" + // MOZ_DLL_SUFFIX` file in the directory being operated on. In some cases this + // can cause us to fail to load our roots module. In these cases, deleting the + // "Root Certs" module allows us to load the correct one. See bug 1406396. + int unusedModType; + Unused << SECMOD_DeleteModule("Root Certs", &unusedModType); + return LoadUserModuleAt(kRootModuleName, "nssckbi", dir, nullptr); +} + +nsresult DefaultServerNicknameForCert(const CERTCertificate* cert, + /*out*/ nsCString& nickname) { + MOZ_ASSERT(cert); + NS_ENSURE_ARG_POINTER(cert); + + UniquePORTString baseName(CERT_GetCommonName(&cert->subject)); + if (!baseName) { + baseName = UniquePORTString(CERT_GetOrgUnitName(&cert->subject)); + } + if (!baseName) { + baseName = UniquePORTString(CERT_GetOrgName(&cert->subject)); + } + if (!baseName) { + baseName = UniquePORTString(CERT_GetLocalityName(&cert->subject)); + } + if (!baseName) { + baseName = UniquePORTString(CERT_GetStateName(&cert->subject)); + } + if (!baseName) { + baseName = UniquePORTString(CERT_GetCountryName(&cert->subject)); + } + if (!baseName) { + return NS_ERROR_FAILURE; + } + + // This function is only used in contexts where a failure to find a suitable + // nickname does not block the overall task from succeeding. + // As such, we use an arbitrary limit to prevent this nickname searching + // process from taking forever. + static const uint32_t ARBITRARY_LIMIT = 500; + for (uint32_t count = 1; count < ARBITRARY_LIMIT; count++) { + nickname = baseName.get(); + if (count != 1) { + nickname.AppendPrintf(" #%u", count); + } + if (nickname.IsEmpty()) { + return NS_ERROR_FAILURE; + } + + bool conflict = SEC_CertNicknameConflict(nickname.get(), &cert->derSubject, + cert->dbhandle); + if (!conflict) { + return NS_OK; + } + } + + return NS_ERROR_FAILURE; +} + +Result BuildRevocationCheckArrays(Input certDER, EndEntityOrCA endEntityOrCA, + /*out*/ nsTArray<uint8_t>& issuerBytes, + /*out*/ nsTArray<uint8_t>& serialBytes, + /*out*/ nsTArray<uint8_t>& subjectBytes, + /*out*/ nsTArray<uint8_t>& pubKeyBytes) { + BackCert cert(certDER, endEntityOrCA, nullptr); + Result rv = cert.Init(); + if (rv != Success) { + return rv; + } + issuerBytes.Clear(); + Input issuer(cert.GetIssuer()); + issuerBytes.AppendElements(issuer.UnsafeGetData(), issuer.GetLength()); + serialBytes.Clear(); + Input serial(cert.GetSerialNumber()); + serialBytes.AppendElements(serial.UnsafeGetData(), serial.GetLength()); + subjectBytes.Clear(); + Input subject(cert.GetSubject()); + subjectBytes.AppendElements(subject.UnsafeGetData(), subject.GetLength()); + pubKeyBytes.Clear(); + Input pubKey(cert.GetSubjectPublicKeyInfo()); + pubKeyBytes.AppendElements(pubKey.UnsafeGetData(), pubKey.GetLength()); + + return Success; +} + +bool CertIsInCertStorage(const nsTArray<uint8_t>& certDER, + nsICertStorage* certStorage) { + MOZ_ASSERT(certStorage); + if (!certStorage) { + return false; + } + Input certInput; + Result rv = certInput.Init(certDER.Elements(), certDER.Length()); + if (rv != Success) { + return false; + } + BackCert cert(certInput, EndEntityOrCA::MustBeCA, nullptr); + rv = cert.Init(); + if (rv != Success) { + return false; + } + nsTArray<uint8_t> subject; + subject.AppendElements(cert.GetSubject().UnsafeGetData(), + cert.GetSubject().GetLength()); + nsTArray<nsTArray<uint8_t>> certStorageCerts; + if (NS_FAILED(certStorage->FindCertsBySubject(subject, certStorageCerts))) { + return false; + } + for (const auto& certStorageCert : certStorageCerts) { + if (certStorageCert.Length() != certDER.Length()) { + continue; + } + if (memcmp(certStorageCert.Elements(), certDER.Elements(), + certStorageCert.Length()) == 0) { + return true; + } + } + return false; +} + +/** + * Given a list of certificates representing a verified certificate path from an + * end-entity certificate to a trust anchor, imports the intermediate + * certificates into the permanent certificate database. This is an attempt to + * cope with misconfigured servers that don't include the appropriate + * intermediate certificates in the TLS handshake. + * + * @param certList the verified certificate list + */ +void SaveIntermediateCerts(const nsTArray<nsTArray<uint8_t>>& certList) { + if (certList.IsEmpty()) { + return; + } + nsTArray<nsTArray<uint8_t>> intermediates; + // Skip the end-entity; we only want to store intermediates. Similarly, + // there's no need to save the trust anchor - it's either already a permanent + // certificate or it's the Microsoft Family Safety root or an enterprise root + // temporarily imported via the child mode or enterprise root features. We + // don't want to import these because they're intended to be temporary (and + // because importing them happens to reset their trust settings, which breaks + // these features). + for (size_t index = 1; index < certList.Length() - 1; index++) { + intermediates.AppendElement(certList.ElementAt(index).Clone()); + } + nsCOMPtr<nsIRunnable> importCertsRunnable(NS_NewRunnableFunction( + "IdleSaveIntermediateCerts", + [intermediates = std::move(intermediates)]() -> void { + if (AppShutdown::IsInOrBeyond(ShutdownPhase::AppShutdownConfirmed)) { + return; + } + UniquePK11SlotInfo slot(PK11_GetInternalKeySlot()); + if (!slot) { + return; + } + size_t numCertsImported = 0; + nsCOMPtr<nsICertStorage> certStorage( + do_GetService(NS_CERT_STORAGE_CID)); + for (const auto& certDER : intermediates) { + if (AppShutdown::IsInOrBeyond(ShutdownPhase::AppShutdownConfirmed)) { + return; + } + if (CertIsInCertStorage(certDER, certStorage)) { + continue; + } + SECItem certDERItem = {siBuffer, + const_cast<unsigned char*>(certDER.Elements()), + AssertedCast<unsigned int>(certDER.Length())}; + UniqueCERTCertificate cert(CERT_NewTempCertificate( + CERT_GetDefaultCertDB(), &certDERItem, nullptr, false, true)); + if (!cert) { + continue; + } + if (cert->slot) { + // This cert was found on a token; no need to remember it in the + // permanent database. + continue; + } + PRBool isperm; + if (CERT_GetCertIsPerm(cert.get(), &isperm) != SECSuccess) { + continue; + } + if (isperm) { + // We don't need to remember certs already stored in perm db. + continue; + } + // This is a best-effort attempt at avoiding unknown issuer errors + // in the future, so ignore failures here. + nsAutoCString nickname; + if (NS_FAILED(DefaultServerNicknameForCert(cert.get(), nickname))) { + continue; + } + Unused << PK11_ImportCert(slot.get(), cert.get(), CK_INVALID_HANDLE, + nickname.get(), false); + numCertsImported++; + } + + nsCOMPtr<nsIRunnable> runnable(NS_NewRunnableFunction( + "IdleSaveIntermediateCertsDone", [numCertsImported]() -> void { + nsCOMPtr<nsIObserverService> observerService = + mozilla::services::GetObserverService(); + if (observerService) { + NS_ConvertUTF8toUTF16 numCertsImportedString( + nsPrintfCString("%zu", numCertsImported)); + observerService->NotifyObservers( + nullptr, "psm:intermediate-certs-cached", + numCertsImportedString.get()); + } + })); + Unused << NS_DispatchToMainThread(runnable.forget()); + })); + Unused << NS_DispatchToCurrentThreadQueue(importCertsRunnable.forget(), + EventQueuePriority::Idle); +} + +} // namespace psm +} // namespace mozilla |