diff options
author | Daniel Baumann <daniel.baumann@progress-linux.org> | 2024-04-07 09:22:09 +0000 |
---|---|---|
committer | Daniel Baumann <daniel.baumann@progress-linux.org> | 2024-04-07 09:22:09 +0000 |
commit | 43a97878ce14b72f0981164f87f2e35e14151312 (patch) | |
tree | 620249daf56c0258faa40cbdcf9cfba06de2a846 /security/manager/ssl/VerifySSLServerCertChild.cpp | |
parent | Initial commit. (diff) | |
download | firefox-43a97878ce14b72f0981164f87f2e35e14151312.tar.xz firefox-43a97878ce14b72f0981164f87f2e35e14151312.zip |
Adding upstream version 110.0.1.upstream/110.0.1upstream
Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
Diffstat (limited to 'security/manager/ssl/VerifySSLServerCertChild.cpp')
-rw-r--r-- | security/manager/ssl/VerifySSLServerCertChild.cpp | 121 |
1 files changed, 121 insertions, 0 deletions
diff --git a/security/manager/ssl/VerifySSLServerCertChild.cpp b/security/manager/ssl/VerifySSLServerCertChild.cpp new file mode 100644 index 0000000000..17ea0e4cfb --- /dev/null +++ b/security/manager/ssl/VerifySSLServerCertChild.cpp @@ -0,0 +1,121 @@ +/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */ +/* vim: set sw=2 ts=8 et tw=80 : */ + +/* This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ + +#include "VerifySSLServerCertChild.h" + +#include "CertVerifier.h" +#include "mozilla/ipc/BackgroundChild.h" +#include "mozilla/ipc/PBackgroundChild.h" +#include "nsNSSIOLayer.h" +#include "nsSerializationHelper.h" + +extern mozilla::LazyLogModule gPIPNSSLog; + +namespace mozilla { +namespace psm { + +VerifySSLServerCertChild::VerifySSLServerCertChild( + SSLServerCertVerificationResult* aResultTask, + nsTArray<nsTArray<uint8_t>>&& aPeerCertChain, uint32_t aProviderFlags) + : mResultTask(aResultTask), + mPeerCertChain(std::move(aPeerCertChain)), + mProviderFlags(aProviderFlags) {} + +ipc::IPCResult VerifySSLServerCertChild::RecvOnVerifiedSSLServerCertSuccess( + nsTArray<ByteArray>&& aBuiltCertChain, + const uint16_t& aCertTransparencyStatus, const uint8_t& aEVStatus, + const bool& aIsBuiltCertChainRootBuiltInRoot, + const bool& aMadeOCSPRequests) { + MOZ_LOG(gPIPNSSLog, LogLevel::Debug, + ("[%p] VerifySSLServerCertChild::RecvOnVerifiedSSLServerCertSuccess", + this)); + + nsTArray<nsTArray<uint8_t>> certBytesArray; + for (auto& cert : aBuiltCertChain) { + certBytesArray.AppendElement(std::move(cert.data())); + } + + mResultTask->Dispatch( + std::move(certBytesArray), std::move(mPeerCertChain), + aCertTransparencyStatus, static_cast<EVStatus>(aEVStatus), true, 0, + nsITransportSecurityInfo::OverridableErrorCategory::ERROR_UNSET, + aIsBuiltCertChainRootBuiltInRoot, mProviderFlags, aMadeOCSPRequests); + return IPC_OK(); +} + +ipc::IPCResult VerifySSLServerCertChild::RecvOnVerifiedSSLServerCertFailure( + const int32_t& aFinalError, const uint32_t& aOverridableErrorCategory, + const bool& aMadeOCSPRequests) { + mResultTask->Dispatch( + nsTArray<nsTArray<uint8_t>>(), std::move(mPeerCertChain), + nsITransportSecurityInfo::CERTIFICATE_TRANSPARENCY_NOT_APPLICABLE, + EVStatus::NotEV, false, aFinalError, + static_cast<nsITransportSecurityInfo::OverridableErrorCategory>( + aOverridableErrorCategory), + false, mProviderFlags, aMadeOCSPRequests); + return IPC_OK(); +} + +SECStatus RemoteProcessCertVerification( + nsTArray<nsTArray<uint8_t>>&& aPeerCertChain, const nsACString& aHostName, + int32_t aPort, const OriginAttributes& aOriginAttributes, + Maybe<nsTArray<uint8_t>>& aStapledOCSPResponse, + Maybe<nsTArray<uint8_t>>& aSctsFromTLSExtension, + Maybe<DelegatedCredentialInfo>& aDcInfo, uint32_t aProviderFlags, + uint32_t aCertVerifierFlags, SSLServerCertVerificationResult* aResultTask) { + if (!aResultTask) { + PR_SetError(SEC_ERROR_INVALID_ARGS, 0); + return SECFailure; + } + + nsTArray<ByteArray> peerCertBytes; + for (auto& certBytes : aPeerCertChain) { + peerCertBytes.AppendElement(ByteArray(certBytes)); + } + + Maybe<ByteArray> stapledOCSPResponse; + if (aStapledOCSPResponse) { + stapledOCSPResponse.emplace(); + stapledOCSPResponse->data().Assign(*aStapledOCSPResponse); + } + + Maybe<ByteArray> sctsFromTLSExtension; + if (aSctsFromTLSExtension) { + sctsFromTLSExtension.emplace(); + sctsFromTLSExtension->data().Assign(*aSctsFromTLSExtension); + } + + Maybe<DelegatedCredentialInfoArg> dcInfo; + if (aDcInfo) { + dcInfo.emplace(); + dcInfo.ref().scheme() = static_cast<uint32_t>(aDcInfo->scheme); + dcInfo.ref().authKeyBits() = static_cast<uint32_t>(aDcInfo->authKeyBits); + } + + mozilla::ipc::PBackgroundChild* actorChild = mozilla::ipc::BackgroundChild:: + GetOrCreateForSocketParentBridgeForCurrentThread(); + if (!actorChild) { + PR_SetError(SEC_ERROR_LIBRARY_FAILURE, 0); + return SECFailure; + } + + RefPtr<VerifySSLServerCertChild> authCert = new VerifySSLServerCertChild( + aResultTask, std::move(aPeerCertChain), aProviderFlags); + if (!actorChild->SendPVerifySSLServerCertConstructor( + authCert, peerCertBytes, PromiseFlatCString(aHostName), aPort, + aOriginAttributes, stapledOCSPResponse, sctsFromTLSExtension, dcInfo, + aProviderFlags, aCertVerifierFlags)) { + PR_SetError(SEC_ERROR_LIBRARY_FAILURE, 0); + return SECFailure; + } + + PR_SetError(PR_WOULD_BLOCK_ERROR, 0); + return SECWouldBlock; +} + +} // namespace psm +} // namespace mozilla |