security/manager/ssl/IPCClientCertsParent.cpp


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130

/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
/* vim: set sw=2 ts=8 et tw=80 : */

/* This Source Code Form is subject to the terms of the Mozilla Public
 * License, v. 2.0. If a copy of the MPL was not distributed with this
 * file, You can obtain one at http://mozilla.org/MPL/2.0/. */

#include "IPCClientCertsParent.h"
#include "ScopedNSSTypes.h"
#include "nsNSSComponent.h"
#include "nsNSSIOLayer.h"

#include "mozilla/SyncRunnable.h"
#include "mozilla/ipc/BackgroundParent.h"

namespace mozilla::psm {

IPCClientCertsParent::IPCClientCertsParent() = default;

// When the IPC client certs module needs to find certificate and key objects
// in the socket process, it will cause this function to be called in the
// parent process. The parent process needs to find all certificates with
// private keys (because these are potential client certificates).
mozilla::ipc::IPCResult IPCClientCertsParent::RecvFindObjects(
    nsTArray<IPCClientCertObject>* aObjects) {
  nsCOMPtr<nsIEventTarget> socketThread(
      do_GetService(NS_SOCKETTRANSPORTSERVICE_CONTRACTID));
  if (!socketThread) {
    return IPC_OK();
  }
  // Look for client certificates on the socket thread.
  UniqueCERTCertList certList;
  mozilla::SyncRunnable::DispatchToThread(
      socketThread, NS_NewRunnableFunction(
                        "IPCClientCertsParent::RecvFindObjects", [&certList]() {
                          certList =
                              psm::FindClientCertificatesWithPrivateKeys();
                        }));
  if (!certList) {
    return IPC_OK();
  }
  CERTCertListNode* n = CERT_LIST_HEAD(certList);
  while (!CERT_LIST_END(n, certList)) {
    nsTArray<uint8_t> certDER(n->cert->derCert.data, n->cert->derCert.len);
    uint32_t slotType;
    UniqueSECKEYPublicKey pubkey(CERT_ExtractPublicKey(n->cert));
    if (!pubkey) {
      return IPC_OK();
    }
    switch (SECKEY_GetPublicKeyType(pubkey.get())) {
      case rsaKey:
      case rsaPssKey: {
        slotType = PK11_DoesMechanism(n->cert->slot, CKM_RSA_PKCS_PSS)
                       ? kIPCClientCertsSlotTypeModern
                       : kIPCClientCertsSlotTypeLegacy;
        nsTArray<uint8_t> modulus(pubkey->u.rsa.modulus.data,
                                  pubkey->u.rsa.modulus.len);
        RSAKey rsakey(modulus, certDER, slotType);
        aObjects->AppendElement(std::move(rsakey));
        break;
      }
      case ecKey: {
        slotType = kIPCClientCertsSlotTypeModern;
        nsTArray<uint8_t> params(pubkey->u.ec.DEREncodedParams.data,
                                 pubkey->u.ec.DEREncodedParams.len);
        ECKey eckey(params, certDER, slotType);
        aObjects->AppendElement(std::move(eckey));
        break;
      }
      default:
        n = CERT_LIST_NEXT(n);
        continue;
    }
    Certificate cert(certDER, slotType);
    aObjects->AppendElement(std::move(cert));

    n = CERT_LIST_NEXT(n);
  }
  return IPC_OK();
}

// When the IPC client certs module needs to sign data using a key managed by
// the parent process, it will cause this function to be called in the parent
// process. The parent process needs to find the key corresponding to the given
// certificate and sign the given data with the given parameters.
mozilla::ipc::IPCResult IPCClientCertsParent::RecvSign(ByteArray aCert,
                                                       ByteArray aData,
                                                       ByteArray aParams,
                                                       ByteArray* aSignature) {
  SECItem certItem = {siBuffer, const_cast<uint8_t*>(aCert.data().Elements()),
                      static_cast<unsigned int>(aCert.data().Length())};
  aSignature->data().Clear();

  UniqueCERTCertificate cert(CERT_NewTempCertificate(
      CERT_GetDefaultCertDB(), &certItem, nullptr, false, true));
  if (!cert) {
    return IPC_OK();
  }
  UniqueSECKEYPrivateKey key(PK11_FindKeyByAnyCert(cert.get(), nullptr));
  if (!key) {
    return IPC_OK();
  }
  SECItem params = {siBuffer, aParams.data().Elements(),
                    static_cast<unsigned int>(aParams.data().Length())};
  SECItem* paramsPtr = aParams.data().Length() > 0 ? &params : nullptr;
  CK_MECHANISM_TYPE mechanism;
  switch (key->keyType) {
    case ecKey:
      mechanism = CKM_ECDSA;
      break;
    case rsaKey:
      mechanism = aParams.data().Length() > 0 ? CKM_RSA_PKCS_PSS : CKM_RSA_PKCS;
      break;
    default:
      return IPC_OK();
  }
  uint32_t len = PK11_SignatureLen(key.get());
  UniqueSECItem sig(::SECITEM_AllocItem(nullptr, nullptr, len));
  SECItem hash = {siBuffer, aData.data().Elements(),
                  static_cast<unsigned int>(aData.data().Length())};
  SECStatus srv =
      PK11_SignWithMechanism(key.get(), mechanism, paramsPtr, sig.get(), &hash);
  if (srv != SECSuccess) {
    return IPC_OK();
  }
  aSignature->data().AppendElements(sig->data, sig->len);
  return IPC_OK();
}

}  // namespace mozilla::psm