/src/mozilla-central/security/manager/ssl/RootCertificateTelemetryUtils.cpp
Line | Count | Source (jump to first uncovered line) |
1 | | /* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */ |
2 | | /* vim: set ts=8 sts=2 et sw=2 tw=80: */ |
3 | | /* This Source Code Form is subject to the terms of the Mozilla Public |
4 | | * License, v. 2.0. If a copy of the MPL was not distributed with this |
5 | | * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ |
6 | | |
7 | | #include "RootCertificateTelemetryUtils.h" |
8 | | |
9 | | #include "mozilla/Logging.h" |
10 | | #include "RootHashes.inc" // Note: Generated by genRootCAHashes.js |
11 | | #include "ScopedNSSTypes.h" |
12 | | #include "mozilla/ArrayUtils.h" |
13 | | |
14 | | namespace mozilla { namespace psm { |
15 | | |
16 | | mozilla::LazyLogModule gPublicKeyPinningTelemetryLog("PublicKeyPinningTelemetryService"); |
17 | | |
18 | | // Used in the BinarySearch method, this does a memcmp between the pointer |
19 | | // provided to its construtor and whatever the binary search is looking for. |
20 | | // |
21 | | // This implementation assumes everything to be of HASH_LEN, so it should not |
22 | | // be used generically. |
23 | | class BinaryHashSearchArrayComparator |
24 | | { |
25 | | public: |
26 | | explicit BinaryHashSearchArrayComparator(const uint8_t* aTarget, size_t len) |
27 | | : mTarget(aTarget) |
28 | 0 | { |
29 | 0 | MOZ_ASSERT(len == HASH_LEN, "Hashes should be of the same length."); |
30 | 0 | } |
31 | | |
32 | 0 | int operator()(const CertAuthorityHash val) const { |
33 | 0 | return memcmp(mTarget, val.hash, HASH_LEN); |
34 | 0 | } |
35 | | |
36 | | private: |
37 | | const uint8_t* mTarget; |
38 | | }; |
39 | | |
40 | | // Perform a hash of the provided cert, then search in the RootHashes.inc data |
41 | | // structure for a matching bin number. |
42 | | int32_t |
43 | | RootCABinNumber(const SECItem* cert) |
44 | 0 | { |
45 | 0 | Digest digest; |
46 | 0 |
|
47 | 0 | // Compute SHA256 hash of the certificate |
48 | 0 | nsresult rv = digest.DigestBuf(SEC_OID_SHA256, cert->data, cert->len); |
49 | 0 | if (NS_WARN_IF(NS_FAILED(rv))) { |
50 | 0 | return ROOT_CERTIFICATE_HASH_FAILURE; |
51 | 0 | } |
52 | 0 |
|
53 | 0 | // Compare against list of stored hashes |
54 | 0 | size_t idx; |
55 | 0 |
|
56 | 0 | MOZ_LOG(gPublicKeyPinningTelemetryLog, LogLevel::Debug, |
57 | 0 | ("pkpinTelem: First bytes %02x %02x %02x %02x\n", |
58 | 0 | digest.get().data[0], digest.get().data[1], digest.get().data[2], digest.get().data[3])); |
59 | 0 |
|
60 | 0 | if (mozilla::BinarySearchIf(ROOT_TABLE, 0, ArrayLength(ROOT_TABLE), |
61 | 0 | BinaryHashSearchArrayComparator(static_cast<uint8_t*>(digest.get().data), |
62 | 0 | digest.get().len), |
63 | 0 | &idx)) { |
64 | 0 |
|
65 | 0 | MOZ_LOG(gPublicKeyPinningTelemetryLog, LogLevel::Debug, |
66 | 0 | ("pkpinTelem: Telemetry index was %zu, bin is %d\n", |
67 | 0 | idx, ROOT_TABLE[idx].binNumber)); |
68 | 0 | return (int32_t) ROOT_TABLE[idx].binNumber; |
69 | 0 | } |
70 | 0 |
|
71 | 0 | // Didn't match. |
72 | 0 | return ROOT_CERTIFICATE_UNKNOWN; |
73 | 0 | } |
74 | | |
75 | | |
76 | | // Attempt to increment the appropriate bin in the provided Telemetry probe ID. If |
77 | | // there was a hash failure, we do nothing. |
78 | | void |
79 | | AccumulateTelemetryForRootCA(mozilla::Telemetry::HistogramID probe, |
80 | | const CERTCertificate* cert) |
81 | 0 | { |
82 | 0 | int32_t binId = RootCABinNumber(&cert->derCert); |
83 | 0 |
|
84 | 0 | if (binId != ROOT_CERTIFICATE_HASH_FAILURE) { |
85 | 0 | Accumulate(probe, binId); |
86 | 0 | } |
87 | 0 | } |
88 | | |
89 | | } // namespace psm |
90 | | } // namespace mozilla |