diff options
Diffstat (limited to '')
-rw-r--r-- | security/manager/ssl/PublicKeyPinningService.cpp | 393 |
1 files changed, 393 insertions, 0 deletions
diff --git a/security/manager/ssl/PublicKeyPinningService.cpp b/security/manager/ssl/PublicKeyPinningService.cpp new file mode 100644 index 0000000000..e3d02ce326 --- /dev/null +++ b/security/manager/ssl/PublicKeyPinningService.cpp @@ -0,0 +1,393 @@ +/* This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ + +#include "PublicKeyPinningService.h" + +#include "RootCertificateTelemetryUtils.h" +#include "mozilla/ArrayUtils.h" +#include "mozilla/Base64.h" +#include "mozilla/BinarySearch.h" +#include "mozilla/Casting.h" +#include "mozilla/Logging.h" +#include "mozilla/Span.h" +#include "mozilla/StaticPrefs_security.h" +#include "mozilla/Telemetry.h" +#include "nsDependentString.h" +#include "nsServiceManagerUtils.h" +#include "nsSiteSecurityService.h" +#include "mozpkix/pkixtypes.h" +#include "mozpkix/pkixutil.h" +#include "seccomon.h" +#include "sechash.h" + +#include "StaticHPKPins.h" // autogenerated by genHPKPStaticpins.js + +using namespace mozilla; +using namespace mozilla::pkix; +using namespace mozilla::psm; + +LazyLogModule gPublicKeyPinningLog("PublicKeyPinningService"); + +NS_IMPL_ISUPPORTS(PublicKeyPinningService, nsIPublicKeyPinningService) + +enum class PinningMode : uint32_t { + Disabled = 0, + AllowUserCAMITM = 1, + Strict = 2, + EnforceTestMode = 3 +}; + +PinningMode GetPinningMode() { + PinningMode pinningMode = static_cast<PinningMode>( + StaticPrefs::security_cert_pinning_enforcement_level_DoNotUseDirectly()); + switch (pinningMode) { + case PinningMode::Disabled: + return PinningMode::Disabled; + case PinningMode::AllowUserCAMITM: + return PinningMode::AllowUserCAMITM; + case PinningMode::Strict: + return PinningMode::Strict; + case PinningMode::EnforceTestMode: + return PinningMode::EnforceTestMode; + default: + return PinningMode::Disabled; + } +} + +/** + Computes in the location specified by base64Out the SHA256 digest + of the DER Encoded subject Public Key Info for the given cert +*/ +static nsresult GetBase64HashSPKI(const BackCert& cert, + nsACString& hashSPKIDigest) { + Input derPublicKey = cert.GetSubjectPublicKeyInfo(); + + hashSPKIDigest.Truncate(); + nsTArray<uint8_t> digestArray; + nsresult nsrv = + Digest::DigestBuf(SEC_OID_SHA256, derPublicKey.UnsafeGetData(), + derPublicKey.GetLength(), digestArray); + if (NS_FAILED(nsrv)) { + return nsrv; + } + return Base64Encode(nsDependentCSubstring( + BitwiseCast<char*, uint8_t*>(digestArray.Elements()), + digestArray.Length()), + hashSPKIDigest); +} + +/* + * Sets certMatchesPinset to true if a given cert matches any fingerprints from + * the given pinset and false otherwise. + */ +static nsresult EvalCert(const BackCert& cert, + const StaticFingerprints* fingerprints, + /*out*/ bool& certMatchesPinset) { + certMatchesPinset = false; + if (!fingerprints) { + MOZ_LOG(gPublicKeyPinningLog, LogLevel::Debug, + ("pkpin: No hashes found\n")); + return NS_ERROR_INVALID_ARG; + } + + nsAutoCString base64Out; + nsresult rv = GetBase64HashSPKI(cert, base64Out); + if (NS_FAILED(rv)) { + MOZ_LOG(gPublicKeyPinningLog, LogLevel::Debug, + ("pkpin: GetBase64HashSPKI failed!\n")); + return rv; + } + + if (fingerprints) { + for (size_t i = 0; i < fingerprints->size; i++) { + if (base64Out.Equals(fingerprints->data[i])) { + MOZ_LOG(gPublicKeyPinningLog, LogLevel::Debug, + ("pkpin: found pin base_64 ='%s'\n", base64Out.get())); + certMatchesPinset = true; + return NS_OK; + } + } + } + return NS_OK; +} + +/* + * Sets certListIntersectsPinset to true if a given chain matches any + * fingerprints from the given static fingerprints and false otherwise. + */ +static nsresult EvalChain(const nsTArray<Span<const uint8_t>>& derCertList, + const StaticFingerprints* fingerprints, + /*out*/ bool& certListIntersectsPinset) { + certListIntersectsPinset = false; + if (!fingerprints) { + MOZ_ASSERT(false, "Must pass in at least one type of pinset"); + return NS_ERROR_FAILURE; + } + + EndEntityOrCA endEntityOrCA = EndEntityOrCA::MustBeEndEntity; + for (const auto& cert : derCertList) { + Input certInput; + mozilla::pkix::Result rv = certInput.Init(cert.data(), cert.size()); + if (rv != mozilla::pkix::Result::Success) { + return NS_ERROR_INVALID_ARG; + } + BackCert backCert(certInput, endEntityOrCA, nullptr); + rv = backCert.Init(); + if (rv != mozilla::pkix::Result::Success) { + return NS_ERROR_INVALID_ARG; + } + + nsresult nsrv = EvalCert(backCert, fingerprints, certListIntersectsPinset); + if (NS_FAILED(nsrv)) { + return nsrv; + } + if (certListIntersectsPinset) { + break; + } + endEntityOrCA = EndEntityOrCA::MustBeCA; + } + + if (!certListIntersectsPinset) { + MOZ_LOG(gPublicKeyPinningLog, LogLevel::Debug, + ("pkpin: no matches found\n")); + } + return NS_OK; +} + +class TransportSecurityPreloadBinarySearchComparator { + public: + explicit TransportSecurityPreloadBinarySearchComparator( + const char* aTargetHost) + : mTargetHost(aTargetHost) {} + + int operator()(const TransportSecurityPreload& val) const { + return strcmp(mTargetHost, val.mHost); + } + + private: + const char* mTargetHost; // non-owning +}; + +#ifdef DEBUG +static Atomic<bool> sValidatedPinningPreloadList(false); + +static void ValidatePinningPreloadList() { + if (sValidatedPinningPreloadList) { + return; + } + for (const auto& entry : kPublicKeyPinningPreloadList) { + // If and only if a static entry is a Mozilla entry, it has a telemetry ID. + MOZ_ASSERT((entry.mIsMoz && entry.mId != kUnknownId) || + (!entry.mIsMoz && entry.mId == kUnknownId)); + } + sValidatedPinningPreloadList = true; +} +#endif // DEBUG + +// Returns via one of the output parameters the most relevant pinning +// information that is valid for the given host at the given time. +static nsresult FindPinningInformation( + const char* hostname, mozilla::pkix::Time time, + /*out*/ const TransportSecurityPreload*& staticFingerprints) { +#ifdef DEBUG + ValidatePinningPreloadList(); +#endif + if (!hostname || hostname[0] == 0) { + return NS_ERROR_INVALID_ARG; + } + staticFingerprints = nullptr; + const TransportSecurityPreload* foundEntry = nullptr; + const char* evalHost = hostname; + const char* evalPart; + // Notice how the (xx = strchr) prevents pins for unqualified domain names. + while (!foundEntry && (evalPart = strchr(evalHost, '.'))) { + MOZ_LOG(gPublicKeyPinningLog, LogLevel::Debug, + ("pkpin: Querying pinsets for host: '%s'\n", evalHost)); + size_t foundEntryIndex; + if (BinarySearchIf(kPublicKeyPinningPreloadList, 0, + ArrayLength(kPublicKeyPinningPreloadList), + TransportSecurityPreloadBinarySearchComparator(evalHost), + &foundEntryIndex)) { + foundEntry = &kPublicKeyPinningPreloadList[foundEntryIndex]; + MOZ_LOG(gPublicKeyPinningLog, LogLevel::Debug, + ("pkpin: Found pinset for host: '%s'\n", evalHost)); + if (evalHost != hostname) { + if (!foundEntry->mIncludeSubdomains) { + // Does not apply to this host, continue iterating + foundEntry = nullptr; + } + } + } else { + MOZ_LOG(gPublicKeyPinningLog, LogLevel::Debug, + ("pkpin: Didn't find pinset for host: '%s'\n", evalHost)); + } + // Add one for '.' + evalHost = evalPart + 1; + } + + if (foundEntry && foundEntry->pinset) { + if (time > TimeFromEpochInSeconds(kPreloadPKPinsExpirationTime / + PR_USEC_PER_SEC)) { + return NS_OK; + } + staticFingerprints = foundEntry; + } + return NS_OK; +} + +// Returns true via the output parameter if the given certificate list meets +// pinning requirements for the given host at the given time. It must be the +// case that either there is an intersection between the set of hashes of +// subject public key info data in the list and the most relevant non-expired +// pinset for the host or there is no pinning information for the host. +static nsresult CheckPinsForHostname( + const nsTArray<Span<const uint8_t>>& certList, const char* hostname, + bool enforceTestMode, mozilla::pkix::Time time, + /*out*/ bool& chainHasValidPins, + /*optional out*/ PinningTelemetryInfo* pinningTelemetryInfo) { + chainHasValidPins = false; + if (certList.IsEmpty()) { + return NS_ERROR_INVALID_ARG; + } + if (!hostname || hostname[0] == 0) { + return NS_ERROR_INVALID_ARG; + } + + const TransportSecurityPreload* staticFingerprints = nullptr; + nsresult rv = FindPinningInformation(hostname, time, staticFingerprints); + if (NS_FAILED(rv)) { + return rv; + } + // If we have no pinning information, the certificate chain trivially + // validates with respect to pinning. + if (!staticFingerprints) { + chainHasValidPins = true; + return NS_OK; + } + if (staticFingerprints) { + bool enforceTestModeResult; + rv = EvalChain(certList, staticFingerprints->pinset, enforceTestModeResult); + if (NS_FAILED(rv)) { + return rv; + } + chainHasValidPins = enforceTestModeResult; + if (staticFingerprints->mTestMode && !enforceTestMode) { + chainHasValidPins = true; + } + + if (pinningTelemetryInfo) { + // If and only if a static entry is a Mozilla entry, it has a telemetry + // ID. + if ((staticFingerprints->mIsMoz && + staticFingerprints->mId == kUnknownId) || + (!staticFingerprints->mIsMoz && + staticFingerprints->mId != kUnknownId)) { + return NS_ERROR_FAILURE; + } + + Telemetry::HistogramID histogram; + int32_t bucket; + // We can collect per-host pinning violations for this host because it is + // operationally critical to Firefox. + if (staticFingerprints->mIsMoz) { + histogram = staticFingerprints->mTestMode + ? Telemetry::CERT_PINNING_MOZ_TEST_RESULTS_BY_HOST + : Telemetry::CERT_PINNING_MOZ_RESULTS_BY_HOST; + bucket = staticFingerprints->mId * 2 + (enforceTestModeResult ? 1 : 0); + } else { + histogram = staticFingerprints->mTestMode + ? Telemetry::CERT_PINNING_TEST_RESULTS + : Telemetry::CERT_PINNING_RESULTS; + bucket = enforceTestModeResult ? 1 : 0; + } + pinningTelemetryInfo->accumulateResult = true; + pinningTelemetryInfo->certPinningResultHistogram = Some(histogram); + pinningTelemetryInfo->certPinningResultBucket = bucket; + + // We only collect per-CA pinning statistics upon failures. + if (!enforceTestModeResult) { + int32_t binNumber = RootCABinNumber(certList.LastElement()); + if (binNumber != ROOT_CERTIFICATE_UNKNOWN) { + pinningTelemetryInfo->accumulateForRoot = true; + pinningTelemetryInfo->rootBucket = binNumber; + } + } + } + + MOZ_LOG(gPublicKeyPinningLog, LogLevel::Debug, + ("pkpin: Pin check %s for %s host '%s' (mode=%s)\n", + enforceTestModeResult ? "passed" : "failed", + staticFingerprints->mIsMoz ? "mozilla" : "non-mozilla", hostname, + staticFingerprints->mTestMode ? "test" : "production")); + } + + return NS_OK; +} + +nsresult PublicKeyPinningService::ChainHasValidPins( + const nsTArray<Span<const uint8_t>>& certList, const char* hostname, + mozilla::pkix::Time time, bool isBuiltInRoot, + /*out*/ bool& chainHasValidPins, + /*optional out*/ PinningTelemetryInfo* pinningTelemetryInfo) { + PinningMode pinningMode(GetPinningMode()); + if (pinningMode == PinningMode::Disabled || + (!isBuiltInRoot && pinningMode == PinningMode::AllowUserCAMITM)) { + chainHasValidPins = true; + return NS_OK; + } + + chainHasValidPins = false; + if (certList.IsEmpty()) { + return NS_ERROR_INVALID_ARG; + } + if (!hostname || hostname[0] == 0) { + return NS_ERROR_INVALID_ARG; + } + nsAutoCString canonicalizedHostname(CanonicalizeHostname(hostname)); + bool enforceTestMode = pinningMode == PinningMode::EnforceTestMode; + return CheckPinsForHostname(certList, canonicalizedHostname.get(), + enforceTestMode, time, chainHasValidPins, + pinningTelemetryInfo); +} + +NS_IMETHODIMP +PublicKeyPinningService::HostHasPins(nsIURI* aURI, bool* hostHasPins) { + NS_ENSURE_ARG(aURI); + NS_ENSURE_ARG(hostHasPins); + *hostHasPins = false; + PinningMode pinningMode(GetPinningMode()); + if (pinningMode == PinningMode::Disabled) { + return NS_OK; + } + nsAutoCString hostname; + nsresult rv = nsSiteSecurityService::GetHost(aURI, hostname); + if (NS_FAILED(rv)) { + return rv; + } + if (nsSiteSecurityService::HostIsIPAddress(hostname)) { + return NS_OK; + } + + const TransportSecurityPreload* staticFingerprints = nullptr; + rv = FindPinningInformation(hostname.get(), Now(), staticFingerprints); + if (NS_FAILED(rv)) { + return rv; + } + if (staticFingerprints) { + *hostHasPins = !staticFingerprints->mTestMode || + pinningMode == PinningMode::EnforceTestMode; + } + return NS_OK; +} + +nsAutoCString PublicKeyPinningService::CanonicalizeHostname( + const char* hostname) { + nsAutoCString canonicalizedHostname(hostname); + ToLowerCase(canonicalizedHostname); + while (canonicalizedHostname.Length() > 0 && + canonicalizedHostname.Last() == '.') { + canonicalizedHostname.Truncate(canonicalizedHostname.Length() - 1); + } + return canonicalizedHostname; +} |