1 files changed, 393 insertions, 0 deletions

diff --git a/security/manager/ssl/PublicKeyPinningService.cpp b/security/manager/ssl/PublicKeyPinningService.cpp
new file mode 100644
index 0000000000..e3d02ce326
--- /dev/null
+++ b/security/manager/ssl/PublicKeyPinningService.cpp
@@ -0,0 +1,393 @@
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+#include "PublicKeyPinningService.h"
+
+#include "RootCertificateTelemetryUtils.h"
+#include "mozilla/ArrayUtils.h"
+#include "mozilla/Base64.h"
+#include "mozilla/BinarySearch.h"
+#include "mozilla/Casting.h"
+#include "mozilla/Logging.h"
+#include "mozilla/Span.h"
+#include "mozilla/StaticPrefs_security.h"
+#include "mozilla/Telemetry.h"
+#include "nsDependentString.h"
+#include "nsServiceManagerUtils.h"
+#include "nsSiteSecurityService.h"
+#include "mozpkix/pkixtypes.h"
+#include "mozpkix/pkixutil.h"
+#include "seccomon.h"
+#include "sechash.h"
+
+#include "StaticHPKPins.h"  // autogenerated by genHPKPStaticpins.js
+
+using namespace mozilla;
+using namespace mozilla::pkix;
+using namespace mozilla::psm;
+
+LazyLogModule gPublicKeyPinningLog("PublicKeyPinningService");
+
+NS_IMPL_ISUPPORTS(PublicKeyPinningService, nsIPublicKeyPinningService)
+
+enum class PinningMode : uint32_t {
+  Disabled = 0,
+  AllowUserCAMITM = 1,
+  Strict = 2,
+  EnforceTestMode = 3
+};
+
+PinningMode GetPinningMode() {
+  PinningMode pinningMode = static_cast<PinningMode>(
+      StaticPrefs::security_cert_pinning_enforcement_level_DoNotUseDirectly());
+  switch (pinningMode) {
+    case PinningMode::Disabled:
+      return PinningMode::Disabled;
+    case PinningMode::AllowUserCAMITM:
+      return PinningMode::AllowUserCAMITM;
+    case PinningMode::Strict:
+      return PinningMode::Strict;
+    case PinningMode::EnforceTestMode:
+      return PinningMode::EnforceTestMode;
+    default:
+      return PinningMode::Disabled;
+  }
+}
+
+/**
+ Computes in the location specified by base64Out the SHA256 digest
+ of the DER Encoded subject Public Key Info for the given cert
+*/
+static nsresult GetBase64HashSPKI(const BackCert& cert,
+                                  nsACString& hashSPKIDigest) {
+  Input derPublicKey = cert.GetSubjectPublicKeyInfo();
+
+  hashSPKIDigest.Truncate();
+  nsTArray<uint8_t> digestArray;
+  nsresult nsrv =
+      Digest::DigestBuf(SEC_OID_SHA256, derPublicKey.UnsafeGetData(),
+                        derPublicKey.GetLength(), digestArray);
+  if (NS_FAILED(nsrv)) {
+    return nsrv;
+  }
+  return Base64Encode(nsDependentCSubstring(
+                          BitwiseCast<char*, uint8_t*>(digestArray.Elements()),
+                          digestArray.Length()),
+                      hashSPKIDigest);
+}
+
+/*
+ * Sets certMatchesPinset to true if a given cert matches any fingerprints from
+ * the given pinset and false otherwise.
+ */
+static nsresult EvalCert(const BackCert& cert,
+                         const StaticFingerprints* fingerprints,
+                         /*out*/ bool& certMatchesPinset) {
+  certMatchesPinset = false;
+  if (!fingerprints) {
+    MOZ_LOG(gPublicKeyPinningLog, LogLevel::Debug,
+            ("pkpin: No hashes found\n"));
+    return NS_ERROR_INVALID_ARG;
+  }
+
+  nsAutoCString base64Out;
+  nsresult rv = GetBase64HashSPKI(cert, base64Out);
+  if (NS_FAILED(rv)) {
+    MOZ_LOG(gPublicKeyPinningLog, LogLevel::Debug,
+            ("pkpin: GetBase64HashSPKI failed!\n"));
+    return rv;
+  }
+
+  if (fingerprints) {
+    for (size_t i = 0; i < fingerprints->size; i++) {
+      if (base64Out.Equals(fingerprints->data[i])) {
+        MOZ_LOG(gPublicKeyPinningLog, LogLevel::Debug,
+                ("pkpin: found pin base_64 ='%s'\n", base64Out.get()));
+        certMatchesPinset = true;
+        return NS_OK;
+      }
+    }
+  }
+  return NS_OK;
+}
+
+/*
+ * Sets certListIntersectsPinset to true if a given chain matches any
+ * fingerprints from the given static fingerprints and false otherwise.
+ */
+static nsresult EvalChain(const nsTArray<Span<const uint8_t>>& derCertList,
+                          const StaticFingerprints* fingerprints,
+                          /*out*/ bool& certListIntersectsPinset) {
+  certListIntersectsPinset = false;
+  if (!fingerprints) {
+    MOZ_ASSERT(false, "Must pass in at least one type of pinset");
+    return NS_ERROR_FAILURE;
+  }
+
+  EndEntityOrCA endEntityOrCA = EndEntityOrCA::MustBeEndEntity;
+  for (const auto& cert : derCertList) {
+    Input certInput;
+    mozilla::pkix::Result rv = certInput.Init(cert.data(), cert.size());
+    if (rv != mozilla::pkix::Result::Success) {
+      return NS_ERROR_INVALID_ARG;
+    }
+    BackCert backCert(certInput, endEntityOrCA, nullptr);
+    rv = backCert.Init();
+    if (rv != mozilla::pkix::Result::Success) {
+      return NS_ERROR_INVALID_ARG;
+    }
+
+    nsresult nsrv = EvalCert(backCert, fingerprints, certListIntersectsPinset);
+    if (NS_FAILED(nsrv)) {
+      return nsrv;
+    }
+    if (certListIntersectsPinset) {
+      break;
+    }
+    endEntityOrCA = EndEntityOrCA::MustBeCA;
+  }
+
+  if (!certListIntersectsPinset) {
+    MOZ_LOG(gPublicKeyPinningLog, LogLevel::Debug,
+            ("pkpin: no matches found\n"));
+  }
+  return NS_OK;
+}
+
+class TransportSecurityPreloadBinarySearchComparator {
+ public:
+  explicit TransportSecurityPreloadBinarySearchComparator(
+      const char* aTargetHost)
+      : mTargetHost(aTargetHost) {}
+
+  int operator()(const TransportSecurityPreload& val) const {
+    return strcmp(mTargetHost, val.mHost);
+  }
+
+ private:
+  const char* mTargetHost;  // non-owning
+};
+
+#ifdef DEBUG
+static Atomic<bool> sValidatedPinningPreloadList(false);
+
+static void ValidatePinningPreloadList() {
+  if (sValidatedPinningPreloadList) {
+    return;
+  }
+  for (const auto& entry : kPublicKeyPinningPreloadList) {
+    // If and only if a static entry is a Mozilla entry, it has a telemetry ID.
+    MOZ_ASSERT((entry.mIsMoz && entry.mId != kUnknownId) ||
+               (!entry.mIsMoz && entry.mId == kUnknownId));
+  }
+  sValidatedPinningPreloadList = true;
+}
+#endif  // DEBUG
+
+// Returns via one of the output parameters the most relevant pinning
+// information that is valid for the given host at the given time.
+static nsresult FindPinningInformation(
+    const char* hostname, mozilla::pkix::Time time,
+    /*out*/ const TransportSecurityPreload*& staticFingerprints) {
+#ifdef DEBUG
+  ValidatePinningPreloadList();
+#endif
+  if (!hostname || hostname[0] == 0) {
+    return NS_ERROR_INVALID_ARG;
+  }
+  staticFingerprints = nullptr;
+  const TransportSecurityPreload* foundEntry = nullptr;
+  const char* evalHost = hostname;
+  const char* evalPart;
+  // Notice how the (xx = strchr) prevents pins for unqualified domain names.
+  while (!foundEntry && (evalPart = strchr(evalHost, '.'))) {
+    MOZ_LOG(gPublicKeyPinningLog, LogLevel::Debug,
+            ("pkpin: Querying pinsets for host: '%s'\n", evalHost));
+    size_t foundEntryIndex;
+    if (BinarySearchIf(kPublicKeyPinningPreloadList, 0,
+                       ArrayLength(kPublicKeyPinningPreloadList),
+                       TransportSecurityPreloadBinarySearchComparator(evalHost),
+                       &foundEntryIndex)) {
+      foundEntry = &kPublicKeyPinningPreloadList[foundEntryIndex];
+      MOZ_LOG(gPublicKeyPinningLog, LogLevel::Debug,
+              ("pkpin: Found pinset for host: '%s'\n", evalHost));
+      if (evalHost != hostname) {
+        if (!foundEntry->mIncludeSubdomains) {
+          // Does not apply to this host, continue iterating
+          foundEntry = nullptr;
+        }
+      }
+    } else {
+      MOZ_LOG(gPublicKeyPinningLog, LogLevel::Debug,
+              ("pkpin: Didn't find pinset for host: '%s'\n", evalHost));
+    }
+    // Add one for '.'
+    evalHost = evalPart + 1;
+  }
+
+  if (foundEntry && foundEntry->pinset) {
+    if (time > TimeFromEpochInSeconds(kPreloadPKPinsExpirationTime /
+                                      PR_USEC_PER_SEC)) {
+      return NS_OK;
+    }
+    staticFingerprints = foundEntry;
+  }
+  return NS_OK;
+}
+
+// Returns true via the output parameter if the given certificate list meets
+// pinning requirements for the given host at the given time. It must be the
+// case that either there is an intersection between the set of hashes of
+// subject public key info data in the list and the most relevant non-expired
+// pinset for the host or there is no pinning information for the host.
+static nsresult CheckPinsForHostname(
+    const nsTArray<Span<const uint8_t>>& certList, const char* hostname,
+    bool enforceTestMode, mozilla::pkix::Time time,
+    /*out*/ bool& chainHasValidPins,
+    /*optional out*/ PinningTelemetryInfo* pinningTelemetryInfo) {
+  chainHasValidPins = false;
+  if (certList.IsEmpty()) {
+    return NS_ERROR_INVALID_ARG;
+  }
+  if (!hostname || hostname[0] == 0) {
+    return NS_ERROR_INVALID_ARG;
+  }
+
+  const TransportSecurityPreload* staticFingerprints = nullptr;
+  nsresult rv = FindPinningInformation(hostname, time, staticFingerprints);
+  if (NS_FAILED(rv)) {
+    return rv;
+  }
+  // If we have no pinning information, the certificate chain trivially
+  // validates with respect to pinning.
+  if (!staticFingerprints) {
+    chainHasValidPins = true;
+    return NS_OK;
+  }
+  if (staticFingerprints) {
+    bool enforceTestModeResult;
+    rv = EvalChain(certList, staticFingerprints->pinset, enforceTestModeResult);
+    if (NS_FAILED(rv)) {
+      return rv;
+    }
+    chainHasValidPins = enforceTestModeResult;
+    if (staticFingerprints->mTestMode && !enforceTestMode) {
+      chainHasValidPins = true;
+    }
+
+    if (pinningTelemetryInfo) {
+      // If and only if a static entry is a Mozilla entry, it has a telemetry
+      // ID.
+      if ((staticFingerprints->mIsMoz &&
+           staticFingerprints->mId == kUnknownId) ||
+          (!staticFingerprints->mIsMoz &&
+           staticFingerprints->mId != kUnknownId)) {
+        return NS_ERROR_FAILURE;
+      }
+
+      Telemetry::HistogramID histogram;
+      int32_t bucket;
+      // We can collect per-host pinning violations for this host because it is
+      // operationally critical to Firefox.
+      if (staticFingerprints->mIsMoz) {
+        histogram = staticFingerprints->mTestMode
+                        ? Telemetry::CERT_PINNING_MOZ_TEST_RESULTS_BY_HOST
+                        : Telemetry::CERT_PINNING_MOZ_RESULTS_BY_HOST;
+        bucket = staticFingerprints->mId * 2 + (enforceTestModeResult ? 1 : 0);
+      } else {
+        histogram = staticFingerprints->mTestMode
+                        ? Telemetry::CERT_PINNING_TEST_RESULTS
+                        : Telemetry::CERT_PINNING_RESULTS;
+        bucket = enforceTestModeResult ? 1 : 0;
+      }
+      pinningTelemetryInfo->accumulateResult = true;
+      pinningTelemetryInfo->certPinningResultHistogram = Some(histogram);
+      pinningTelemetryInfo->certPinningResultBucket = bucket;
+
+      // We only collect per-CA pinning statistics upon failures.
+      if (!enforceTestModeResult) {
+        int32_t binNumber = RootCABinNumber(certList.LastElement());
+        if (binNumber != ROOT_CERTIFICATE_UNKNOWN) {
+          pinningTelemetryInfo->accumulateForRoot = true;
+          pinningTelemetryInfo->rootBucket = binNumber;
+        }
+      }
+    }
+
+    MOZ_LOG(gPublicKeyPinningLog, LogLevel::Debug,
+            ("pkpin: Pin check %s for %s host '%s' (mode=%s)\n",
+             enforceTestModeResult ? "passed" : "failed",
+             staticFingerprints->mIsMoz ? "mozilla" : "non-mozilla", hostname,
+             staticFingerprints->mTestMode ? "test" : "production"));
+  }
+
+  return NS_OK;
+}
+
+nsresult PublicKeyPinningService::ChainHasValidPins(
+    const nsTArray<Span<const uint8_t>>& certList, const char* hostname,
+    mozilla::pkix::Time time, bool isBuiltInRoot,
+    /*out*/ bool& chainHasValidPins,
+    /*optional out*/ PinningTelemetryInfo* pinningTelemetryInfo) {
+  PinningMode pinningMode(GetPinningMode());
+  if (pinningMode == PinningMode::Disabled ||
+      (!isBuiltInRoot && pinningMode == PinningMode::AllowUserCAMITM)) {
+    chainHasValidPins = true;
+    return NS_OK;
+  }
+
+  chainHasValidPins = false;
+  if (certList.IsEmpty()) {
+    return NS_ERROR_INVALID_ARG;
+  }
+  if (!hostname || hostname[0] == 0) {
+    return NS_ERROR_INVALID_ARG;
+  }
+  nsAutoCString canonicalizedHostname(CanonicalizeHostname(hostname));
+  bool enforceTestMode = pinningMode == PinningMode::EnforceTestMode;
+  return CheckPinsForHostname(certList, canonicalizedHostname.get(),
+                              enforceTestMode, time, chainHasValidPins,
+                              pinningTelemetryInfo);
+}
+
+NS_IMETHODIMP
+PublicKeyPinningService::HostHasPins(nsIURI* aURI, bool* hostHasPins) {
+  NS_ENSURE_ARG(aURI);
+  NS_ENSURE_ARG(hostHasPins);
+  *hostHasPins = false;
+  PinningMode pinningMode(GetPinningMode());
+  if (pinningMode == PinningMode::Disabled) {
+    return NS_OK;
+  }
+  nsAutoCString hostname;
+  nsresult rv = nsSiteSecurityService::GetHost(aURI, hostname);
+  if (NS_FAILED(rv)) {
+    return rv;
+  }
+  if (nsSiteSecurityService::HostIsIPAddress(hostname)) {
+    return NS_OK;
+  }
+
+  const TransportSecurityPreload* staticFingerprints = nullptr;
+  rv = FindPinningInformation(hostname.get(), Now(), staticFingerprints);
+  if (NS_FAILED(rv)) {
+    return rv;
+  }
+  if (staticFingerprints) {
+    *hostHasPins = !staticFingerprints->mTestMode ||
+                   pinningMode == PinningMode::EnforceTestMode;
+  }
+  return NS_OK;
+}
+
+nsAutoCString PublicKeyPinningService::CanonicalizeHostname(
+    const char* hostname) {
+  nsAutoCString canonicalizedHostname(hostname);
+  ToLowerCase(canonicalizedHostname);
+  while (canonicalizedHostname.Length() > 0 &&
+         canonicalizedHostname.Last() == '.') {
+    canonicalizedHostname.Truncate(canonicalizedHostname.Length() - 1);
+  }
+  return canonicalizedHostname;
+}