/src/mozilla-central/security/certverifier/NSSCertDBTrustDomain.h

Source (jump to first uncovered line)
/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
/* vim: set ts=8 sts=2 et sw=2 tw=80: */
/* This Source Code Form is subject to the terms of the Mozilla Public
 * License, v. 2.0. If a copy of the MPL was not distributed with this
 * file, You can obtain one at http://mozilla.org/MPL/2.0/. */

#ifndef NSSCertDBTrustDomain_h
#define NSSCertDBTrustDomain_h

#include "CertVerifier.h"
#include "ScopedNSSTypes.h"
#include "mozilla/BasePrincipal.h"
#include "mozilla/TimeStamp.h"
#include "nsICertBlocklist.h"
#include "nsString.h"
#include "pkix/pkixtypes.h"
#include "secmodt.h"

namespace mozilla { namespace psm {

enum class ValidityCheckingMode {
  CheckingOff = 0,
  CheckForEV = 1,
};

// Policy options for matching id-Netscape-stepUp with id-kp-serverAuth (for CA
// certificates only):
// * Always match: the step-up OID is considered equivalent to serverAuth
// * Match before 23 August 2016: the OID is considered equivalent if the
//   certificate's notBefore is before 23 August 2016
// * Match before 23 August 2015: similarly, but for 23 August 2015
// * Never match: the OID is never considered equivalent to serverAuth
enum class NetscapeStepUpPolicy : uint32_t {
  AlwaysMatch = 0,
  MatchBefore23August2016 = 1,
  MatchBefore23August2015 = 2,
  NeverMatch = 3,
};

SECStatus InitializeNSS(const nsACString& dir, bool readOnly,
                        bool loadPKCS11Modules);

void DisableMD5();

/**
 * Loads root certificates from a module.
 *
 * @param dir
 *        The path to the directory containing the NSS builtin roots module.
 *        Usually the same as the path to the other NSS shared libraries.
 *        If empty, the (library) path will be searched.
 * @return true if the roots were successfully loaded, false otherwise.
 */
bool LoadLoadableRoots(const nsCString& dir);

void UnloadLoadableRoots();

nsresult DefaultServerNicknameForCert(const CERTCertificate* cert,
                              /*out*/ nsCString& nickname);

void SaveIntermediateCerts(const UniqueCERTCertList& certList);

class NSSCertDBTrustDomain : public mozilla::pkix::TrustDomain
{

public:
  typedef mozilla::pkix::Result Result;

  enum OCSPFetching {
    NeverFetchOCSP = 0,
    FetchOCSPForDVSoftFail = 1,
    FetchOCSPForDVHardFail = 2,
    FetchOCSPForEV = 3,
    LocalOnlyOCSPForEV = 4,
  };

  NSSCertDBTrustDomain(SECTrustType certDBTrustType, OCSPFetching ocspFetching,
                       OCSPCache& ocspCache, void* pinArg,
                       mozilla::TimeDuration ocspTimeoutSoft,
                       mozilla::TimeDuration ocspTimeoutHard,
                       uint32_t certShortLifetimeInDays,
                       CertVerifier::PinningMode pinningMode,
                       unsigned int minRSABits,
                       ValidityCheckingMode validityCheckingMode,
                       CertVerifier::SHA1Mode sha1Mode,
                       NetscapeStepUpPolicy netscapeStepUpPolicy,
                       DistrustedCAPolicy distrustedCAPolicy,
                       const OriginAttributes& originAttributes,
                       UniqueCERTCertList& builtChain,
          /*optional*/ PinningTelemetryInfo* pinningTelemetryInfo = nullptr,
          /*optional*/ const char* hostname = nullptr);

  virtual Result FindIssuer(mozilla::pkix::Input encodedIssuerName,
                            IssuerChecker& checker,
                            mozilla::pkix::Time time) override;

  virtual Result GetCertTrust(mozilla::pkix::EndEntityOrCA endEntityOrCA,
                              const mozilla::pkix::CertPolicyId& policy,
                              mozilla::pkix::Input candidateCertDER,
                              /*out*/ mozilla::pkix::TrustLevel& trustLevel)
                              override;

  virtual Result CheckSignatureDigestAlgorithm(
                   mozilla::pkix::DigestAlgorithm digestAlg,
                   mozilla::pkix::EndEntityOrCA endEntityOrCA,
                   mozilla::pkix::Time notBefore) override;

  virtual Result CheckRSAPublicKeyModulusSizeInBits(
                   mozilla::pkix::EndEntityOrCA endEntityOrCA,
                   unsigned int modulusSizeInBits) override;

  virtual Result VerifyRSAPKCS1SignedDigest(
                   const mozilla::pkix::SignedDigest& signedDigest,
                   mozilla::pkix::Input subjectPublicKeyInfo) override;

  virtual Result CheckECDSACurveIsAcceptable(
                   mozilla::pkix::EndEntityOrCA endEntityOrCA,
                   mozilla::pkix::NamedCurve curve) override;

  virtual Result VerifyECDSASignedDigest(
                   const mozilla::pkix::SignedDigest& signedDigest,
                   mozilla::pkix::Input subjectPublicKeyInfo) override;

  virtual Result DigestBuf(mozilla::pkix::Input item,
                           mozilla::pkix::DigestAlgorithm digestAlg,
                           /*out*/ uint8_t* digestBuf,
                           size_t digestBufLen) override;

  virtual Result CheckValidityIsAcceptable(
                   mozilla::pkix::Time notBefore, mozilla::pkix::Time notAfter,
                   mozilla::pkix::EndEntityOrCA endEntityOrCA,
                   mozilla::pkix::KeyPurposeId keyPurpose) override;

  virtual Result NetscapeStepUpMatchesServerAuth(
                   mozilla::pkix::Time notBefore,
                   /*out*/ bool& matches) override;

  virtual Result CheckRevocation(
                   mozilla::pkix::EndEntityOrCA endEntityOrCA,
                   const mozilla::pkix::CertID& certID,
                   mozilla::pkix::Time time,
                   mozilla::pkix::Duration validityDuration,
      /*optional*/ const mozilla::pkix::Input* stapledOCSPResponse,
      /*optional*/ const mozilla::pkix::Input* aiaExtension)
                   override;

  virtual Result IsChainValid(const mozilla::pkix::DERArray& certChain,
                              mozilla::pkix::Time time,
                              const mozilla::pkix::CertPolicyId& requiredPolicy)
                              override;

  virtual void NoteAuxiliaryExtension(
                   mozilla::pkix::AuxiliaryExtension extension,
                   mozilla::pkix::Input extensionData) override;

  // Resets the OCSP stapling status and SCT lists accumulated during
  // the chain building.
  void ResetAccumulatedState();

  CertVerifier::OCSPStaplingStatus GetOCSPStaplingStatus() const
  {
    return mOCSPStaplingStatus;
  }

  // SCT lists (see Certificate Transparency) extracted during
  // certificate verification. Note that the returned Inputs are invalidated
  // the next time a chain is built and by ResetAccumulatedState method
  // (and when the TrustDomain object is destroyed).

  mozilla::pkix::Input GetSCTListFromCertificate() const;
  mozilla::pkix::Input GetSCTListFromOCSPStapling() const;

  bool GetIsErrorDueToDistrustedCAPolicy() const;

private:
  enum EncodedResponseSource {
    ResponseIsFromNetwork = 1,
    ResponseWasStapled = 2
  };
  Result VerifyAndMaybeCacheEncodedOCSPResponse(
    const mozilla::pkix::CertID& certID, mozilla::pkix::Time time,
    uint16_t maxLifetimeInDays, mozilla::pkix::Input encodedResponse,
    EncodedResponseSource responseSource, /*out*/ bool& expired);
  TimeDuration GetOCSPTimeout() const;

  const SECTrustType mCertDBTrustType;
  const OCSPFetching mOCSPFetching;
  OCSPCache& mOCSPCache; // non-owning!
  void* mPinArg; // non-owning!
  const mozilla::TimeDuration mOCSPTimeoutSoft;
  const mozilla::TimeDuration mOCSPTimeoutHard;
  const uint32_t mCertShortLifetimeInDays;
  CertVerifier::PinningMode mPinningMode;
  const unsigned int mMinRSABits;
  ValidityCheckingMode mValidityCheckingMode;
  CertVerifier::SHA1Mode mSHA1Mode;
  NetscapeStepUpPolicy mNetscapeStepUpPolicy;
  DistrustedCAPolicy mDistrustedCAPolicy;
  bool mSawDistrustedCAByPolicyError;
  const OriginAttributes& mOriginAttributes;
  UniqueCERTCertList& mBuiltChain; // non-owning
  PinningTelemetryInfo* mPinningTelemetryInfo;
  const char* mHostname; // non-owning - only used for pinning checks
  nsCOMPtr<nsICertBlocklist> mCertBlocklist;
  CertVerifier::OCSPStaplingStatus mOCSPStaplingStatus;
  // Certificate Transparency data extracted during certificate verification
  UniqueSECItem mSCTListFromCertificate;
  UniqueSECItem mSCTListFromOCSPStapling;
};

} } // namespace mozilla::psm

#endif // NSSCertDBTrustDomain_h

Coverage Report

Created: 2018-09-25 14:53

Line	Count	Source (jump to first uncovered line)
1		/* -- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -- */
2		/* vim: set ts=8 sts=2 et sw=2 tw=80: */
3		/* This Source Code Form is subject to the terms of the Mozilla Public
4		* License, v. 2.0. If a copy of the MPL was not distributed with this
5		* file, You can obtain one at http://mozilla.org/MPL/2.0/. */
6
7		#ifndef NSSCertDBTrustDomain_h
8		#define NSSCertDBTrustDomain_h
9
10		#include "CertVerifier.h"
11		#include "ScopedNSSTypes.h"
12		#include "mozilla/BasePrincipal.h"
13		#include "mozilla/TimeStamp.h"
14		#include "nsICertBlocklist.h"
15		#include "nsString.h"
16		#include "pkix/pkixtypes.h"
17		#include "secmodt.h"
18
19		namespace mozilla { namespace psm {
20
21		enum class ValidityCheckingMode {
22		CheckingOff = 0,
23		CheckForEV = 1,
24		};
25
26		// Policy options for matching id-Netscape-stepUp with id-kp-serverAuth (for CA
27		// certificates only):
28		// * Always match: the step-up OID is considered equivalent to serverAuth
29		// * Match before 23 August 2016: the OID is considered equivalent if the
30		// certificate's notBefore is before 23 August 2016
31		// * Match before 23 August 2015: similarly, but for 23 August 2015
32		// * Never match: the OID is never considered equivalent to serverAuth
33		enum class NetscapeStepUpPolicy : uint32_t {
34		AlwaysMatch = 0,
35		MatchBefore23August2016 = 1,
36		MatchBefore23August2015 = 2,
37		NeverMatch = 3,
38		};
39
40		SECStatus InitializeNSS(const nsACString& dir, bool readOnly,
41		bool loadPKCS11Modules);
42
43		void DisableMD5();
44
45		/**
46		* Loads root certificates from a module.
47		*
48		* @param dir
49		* The path to the directory containing the NSS builtin roots module.
50		* Usually the same as the path to the other NSS shared libraries.
51		* If empty, the (library) path will be searched.
52		* @return true if the roots were successfully loaded, false otherwise.
53		*/
54		bool LoadLoadableRoots(const nsCString& dir);
55
56		void UnloadLoadableRoots();
57
58		nsresult DefaultServerNicknameForCert(const CERTCertificate* cert,
59		/out/ nsCString& nickname);
60
61		void SaveIntermediateCerts(const UniqueCERTCertList& certList);
62
63		class NSSCertDBTrustDomain : public mozilla::pkix::TrustDomain
64		{
65
66		public:
67		typedef mozilla::pkix::Result Result;
68
69		enum OCSPFetching {
70		NeverFetchOCSP = 0,
71		FetchOCSPForDVSoftFail = 1,
72		FetchOCSPForDVHardFail = 2,
73		FetchOCSPForEV = 3,
74		LocalOnlyOCSPForEV = 4,
75		};
76
77		NSSCertDBTrustDomain(SECTrustType certDBTrustType, OCSPFetching ocspFetching,
78		OCSPCache& ocspCache, void* pinArg,
79		mozilla::TimeDuration ocspTimeoutSoft,
80		mozilla::TimeDuration ocspTimeoutHard,
81		uint32_t certShortLifetimeInDays,
82		CertVerifier::PinningMode pinningMode,
83		unsigned int minRSABits,
84		ValidityCheckingMode validityCheckingMode,
85		CertVerifier::SHA1Mode sha1Mode,
86		NetscapeStepUpPolicy netscapeStepUpPolicy,
87		DistrustedCAPolicy distrustedCAPolicy,
88		const OriginAttributes& originAttributes,
89		UniqueCERTCertList& builtChain,
90		/optional/ PinningTelemetryInfo* pinningTelemetryInfo = nullptr,
91		/optional/ const char* hostname = nullptr);
92
93		virtual Result FindIssuer(mozilla::pkix::Input encodedIssuerName,
94		IssuerChecker& checker,
95		mozilla::pkix::Time time) override;
96
97		virtual Result GetCertTrust(mozilla::pkix::EndEntityOrCA endEntityOrCA,
98		const mozilla::pkix::CertPolicyId& policy,
99		mozilla::pkix::Input candidateCertDER,
100		/out/ mozilla::pkix::TrustLevel& trustLevel)
101		override;
102
103		virtual Result CheckSignatureDigestAlgorithm(
104		mozilla::pkix::DigestAlgorithm digestAlg,
105		mozilla::pkix::EndEntityOrCA endEntityOrCA,
106		mozilla::pkix::Time notBefore) override;
107
108		virtual Result CheckRSAPublicKeyModulusSizeInBits(
109		mozilla::pkix::EndEntityOrCA endEntityOrCA,
110		unsigned int modulusSizeInBits) override;
111
112		virtual Result VerifyRSAPKCS1SignedDigest(
113		const mozilla::pkix::SignedDigest& signedDigest,
114		mozilla::pkix::Input subjectPublicKeyInfo) override;
115
116		virtual Result CheckECDSACurveIsAcceptable(
117		mozilla::pkix::EndEntityOrCA endEntityOrCA,
118		mozilla::pkix::NamedCurve curve) override;
119
120		virtual Result VerifyECDSASignedDigest(
121		const mozilla::pkix::SignedDigest& signedDigest,
122		mozilla::pkix::Input subjectPublicKeyInfo) override;
123
124		virtual Result DigestBuf(mozilla::pkix::Input item,
125		mozilla::pkix::DigestAlgorithm digestAlg,
126		/out/ uint8_t* digestBuf,
127		size_t digestBufLen) override;
128
129		virtual Result CheckValidityIsAcceptable(
130		mozilla::pkix::Time notBefore, mozilla::pkix::Time notAfter,
131		mozilla::pkix::EndEntityOrCA endEntityOrCA,
132		mozilla::pkix::KeyPurposeId keyPurpose) override;
133
134		virtual Result NetscapeStepUpMatchesServerAuth(
135		mozilla::pkix::Time notBefore,
136		/out/ bool& matches) override;
137
138		virtual Result CheckRevocation(
139		mozilla::pkix::EndEntityOrCA endEntityOrCA,
140		const mozilla::pkix::CertID& certID,
141		mozilla::pkix::Time time,
142		mozilla::pkix::Duration validityDuration,
143		/optional/ const mozilla::pkix::Input* stapledOCSPResponse,
144		/optional/ const mozilla::pkix::Input* aiaExtension)
145		override;
146
147		virtual Result IsChainValid(const mozilla::pkix::DERArray& certChain,
148		mozilla::pkix::Time time,
149		const mozilla::pkix::CertPolicyId& requiredPolicy)
150		override;
151
152		virtual void NoteAuxiliaryExtension(
153		mozilla::pkix::AuxiliaryExtension extension,
154		mozilla::pkix::Input extensionData) override;
155
156		// Resets the OCSP stapling status and SCT lists accumulated during
157		// the chain building.
158		void ResetAccumulatedState();
159
160		CertVerifier::OCSPStaplingStatus GetOCSPStaplingStatus() const
161	0	{
162	0	return mOCSPStaplingStatus;
163	0	}
164
165		// SCT lists (see Certificate Transparency) extracted during
166		// certificate verification. Note that the returned Inputs are invalidated
167		// the next time a chain is built and by ResetAccumulatedState method
168		// (and when the TrustDomain object is destroyed).
169
170		mozilla::pkix::Input GetSCTListFromCertificate() const;
171		mozilla::pkix::Input GetSCTListFromOCSPStapling() const;
172
173		bool GetIsErrorDueToDistrustedCAPolicy() const;
174
175		private:
176		enum EncodedResponseSource {
177		ResponseIsFromNetwork = 1,
178		ResponseWasStapled = 2
179		};
180		Result VerifyAndMaybeCacheEncodedOCSPResponse(
181		const mozilla::pkix::CertID& certID, mozilla::pkix::Time time,
182		uint16_t maxLifetimeInDays, mozilla::pkix::Input encodedResponse,
183		EncodedResponseSource responseSource, /out/ bool& expired);
184		TimeDuration GetOCSPTimeout() const;
185
186		const SECTrustType mCertDBTrustType;
187		const OCSPFetching mOCSPFetching;
188		OCSPCache& mOCSPCache; // non-owning!
189		void* mPinArg; // non-owning!
190		const mozilla::TimeDuration mOCSPTimeoutSoft;
191		const mozilla::TimeDuration mOCSPTimeoutHard;
192		const uint32_t mCertShortLifetimeInDays;
193		CertVerifier::PinningMode mPinningMode;
194		const unsigned int mMinRSABits;
195		ValidityCheckingMode mValidityCheckingMode;
196		CertVerifier::SHA1Mode mSHA1Mode;
197		NetscapeStepUpPolicy mNetscapeStepUpPolicy;
198		DistrustedCAPolicy mDistrustedCAPolicy;
199		bool mSawDistrustedCAByPolicyError;
200		const OriginAttributes& mOriginAttributes;
201		UniqueCERTCertList& mBuiltChain; // non-owning
202		PinningTelemetryInfo* mPinningTelemetryInfo;
203		const char* mHostname; // non-owning - only used for pinning checks
204		nsCOMPtr<nsICertBlocklist> mCertBlocklist;
205		CertVerifier::OCSPStaplingStatus mOCSPStaplingStatus;
206		// Certificate Transparency data extracted during certificate verification
207		UniqueSECItem mSCTListFromCertificate;
208		UniqueSECItem mSCTListFromOCSPStapling;
209		};
210
211		} } // namespace mozilla::psm
212
213		#endif // NSSCertDBTrustDomain_h