Line data Source code
1 : /* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
2 : /* vim: set ts=8 sts=2 et sw=2 tw=80: */
3 : /* This Source Code Form is subject to the terms of the Mozilla Public
4 : * License, v. 2.0. If a copy of the MPL was not distributed with this
5 : * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
6 :
7 : #ifndef NSSCertDBTrustDomain_h
8 : #define NSSCertDBTrustDomain_h
9 :
10 : #include "CertVerifier.h"
11 : #include "ScopedNSSTypes.h"
12 : #include "mozilla/BasePrincipal.h"
13 : #include "mozilla/TimeStamp.h"
14 : #include "nsICertBlocklist.h"
15 : #include "nsString.h"
16 : #include "pkix/pkixtypes.h"
17 : #include "secmodt.h"
18 :
19 : namespace mozilla { namespace psm {
20 :
21 : enum class ValidityCheckingMode {
22 : CheckingOff = 0,
23 : CheckForEV = 1,
24 : };
25 :
26 : // Policy options for matching id-Netscape-stepUp with id-kp-serverAuth (for CA
27 : // certificates only):
28 : // * Always match: the step-up OID is considered equivalent to serverAuth
29 : // * Match before 23 August 2016: the OID is considered equivalent if the
30 : // certificate's notBefore is before 23 August 2016
31 : // * Match before 23 August 2015: similarly, but for 23 August 2015
32 : // * Never match: the OID is never considered equivalent to serverAuth
33 : enum class NetscapeStepUpPolicy : uint32_t {
34 : AlwaysMatch = 0,
35 : MatchBefore23August2016 = 1,
36 : MatchBefore23August2015 = 2,
37 : NeverMatch = 3,
38 : };
39 :
40 : SECStatus InitializeNSS(const char* dir, bool readOnly, bool loadPKCS11Modules);
41 :
42 : void DisableMD5();
43 :
44 : /**
45 : * Loads root certificates from a module.
46 : *
47 : * @param dir
48 : * The path to the directory containing the NSS builtin roots module.
49 : * Usually the same as the path to the other NSS shared libraries.
50 : * If empty, the (library) path will be searched.
51 : * @param modNameUTF8
52 : * The UTF-8 name to give the module for display purposes.
53 : * @return true if the roots were successfully loaded, false otherwise.
54 : */
55 : bool LoadLoadableRoots(const nsCString& dir, const nsCString& modNameUTF8);
56 :
57 : void UnloadLoadableRoots(const char* modNameUTF8);
58 :
59 : nsresult DefaultServerNicknameForCert(const CERTCertificate* cert,
60 : /*out*/ nsCString& nickname);
61 :
62 : void SaveIntermediateCerts(const UniqueCERTCertList& certList);
63 :
64 0 : class NSSCertDBTrustDomain : public mozilla::pkix::TrustDomain
65 : {
66 :
67 : public:
68 : typedef mozilla::pkix::Result Result;
69 :
70 : enum OCSPFetching {
71 : NeverFetchOCSP = 0,
72 : FetchOCSPForDVSoftFail = 1,
73 : FetchOCSPForDVHardFail = 2,
74 : FetchOCSPForEV = 3,
75 : LocalOnlyOCSPForEV = 4,
76 : };
77 :
78 : NSSCertDBTrustDomain(SECTrustType certDBTrustType, OCSPFetching ocspFetching,
79 : OCSPCache& ocspCache, void* pinArg,
80 : CertVerifier::OcspGetConfig ocspGETConfig,
81 : mozilla::TimeDuration ocspTimeoutSoft,
82 : mozilla::TimeDuration ocspTimeoutHard,
83 : uint32_t certShortLifetimeInDays,
84 : CertVerifier::PinningMode pinningMode,
85 : unsigned int minRSABits,
86 : ValidityCheckingMode validityCheckingMode,
87 : CertVerifier::SHA1Mode sha1Mode,
88 : NetscapeStepUpPolicy netscapeStepUpPolicy,
89 : const OriginAttributes& originAttributes,
90 : UniqueCERTCertList& builtChain,
91 : /*optional*/ UniqueCERTCertList* peerCertChain = nullptr,
92 : /*optional*/ PinningTelemetryInfo* pinningTelemetryInfo = nullptr,
93 : /*optional*/ const char* hostname = nullptr);
94 :
95 : virtual Result FindIssuer(mozilla::pkix::Input encodedIssuerName,
96 : IssuerChecker& checker,
97 : mozilla::pkix::Time time) override;
98 :
99 : virtual Result GetCertTrust(mozilla::pkix::EndEntityOrCA endEntityOrCA,
100 : const mozilla::pkix::CertPolicyId& policy,
101 : mozilla::pkix::Input candidateCertDER,
102 : /*out*/ mozilla::pkix::TrustLevel& trustLevel)
103 : override;
104 :
105 : virtual Result CheckSignatureDigestAlgorithm(
106 : mozilla::pkix::DigestAlgorithm digestAlg,
107 : mozilla::pkix::EndEntityOrCA endEntityOrCA,
108 : mozilla::pkix::Time notBefore) override;
109 :
110 : virtual Result CheckRSAPublicKeyModulusSizeInBits(
111 : mozilla::pkix::EndEntityOrCA endEntityOrCA,
112 : unsigned int modulusSizeInBits) override;
113 :
114 : virtual Result VerifyRSAPKCS1SignedDigest(
115 : const mozilla::pkix::SignedDigest& signedDigest,
116 : mozilla::pkix::Input subjectPublicKeyInfo) override;
117 :
118 : virtual Result CheckECDSACurveIsAcceptable(
119 : mozilla::pkix::EndEntityOrCA endEntityOrCA,
120 : mozilla::pkix::NamedCurve curve) override;
121 :
122 : virtual Result VerifyECDSASignedDigest(
123 : const mozilla::pkix::SignedDigest& signedDigest,
124 : mozilla::pkix::Input subjectPublicKeyInfo) override;
125 :
126 : virtual Result DigestBuf(mozilla::pkix::Input item,
127 : mozilla::pkix::DigestAlgorithm digestAlg,
128 : /*out*/ uint8_t* digestBuf,
129 : size_t digestBufLen) override;
130 :
131 : virtual Result CheckValidityIsAcceptable(
132 : mozilla::pkix::Time notBefore, mozilla::pkix::Time notAfter,
133 : mozilla::pkix::EndEntityOrCA endEntityOrCA,
134 : mozilla::pkix::KeyPurposeId keyPurpose) override;
135 :
136 : virtual Result NetscapeStepUpMatchesServerAuth(
137 : mozilla::pkix::Time notBefore,
138 : /*out*/ bool& matches) override;
139 :
140 : virtual Result CheckRevocation(
141 : mozilla::pkix::EndEntityOrCA endEntityOrCA,
142 : const mozilla::pkix::CertID& certID,
143 : mozilla::pkix::Time time,
144 : mozilla::pkix::Duration validityDuration,
145 : /*optional*/ const mozilla::pkix::Input* stapledOCSPResponse,
146 : /*optional*/ const mozilla::pkix::Input* aiaExtension)
147 : override;
148 :
149 : virtual Result IsChainValid(const mozilla::pkix::DERArray& certChain,
150 : mozilla::pkix::Time time,
151 : const mozilla::pkix::CertPolicyId& requiredPolicy)
152 : override;
153 :
154 : virtual void NoteAuxiliaryExtension(
155 : mozilla::pkix::AuxiliaryExtension extension,
156 : mozilla::pkix::Input extensionData) override;
157 :
158 : // Resets the OCSP stapling status and SCT lists accumulated during
159 : // the chain building.
160 : void ResetAccumulatedState();
161 :
162 0 : CertVerifier::OCSPStaplingStatus GetOCSPStaplingStatus() const
163 : {
164 0 : return mOCSPStaplingStatus;
165 : }
166 :
167 : // SCT lists (see Certificate Transparency) extracted during
168 : // certificate verification. Note that the returned Inputs are invalidated
169 : // the next time a chain is built and by ResetAccumulatedState method
170 : // (and when the TrustDomain object is destroyed).
171 :
172 : mozilla::pkix::Input GetSCTListFromCertificate() const;
173 : mozilla::pkix::Input GetSCTListFromOCSPStapling() const;
174 :
175 : private:
176 : enum EncodedResponseSource {
177 : ResponseIsFromNetwork = 1,
178 : ResponseWasStapled = 2
179 : };
180 : Result VerifyAndMaybeCacheEncodedOCSPResponse(
181 : const mozilla::pkix::CertID& certID, mozilla::pkix::Time time,
182 : uint16_t maxLifetimeInDays, mozilla::pkix::Input encodedResponse,
183 : EncodedResponseSource responseSource, /*out*/ bool& expired);
184 : TimeDuration GetOCSPTimeout() const;
185 :
186 : const SECTrustType mCertDBTrustType;
187 : const OCSPFetching mOCSPFetching;
188 : OCSPCache& mOCSPCache; // non-owning!
189 : void* mPinArg; // non-owning!
190 : const CertVerifier::OcspGetConfig mOCSPGetConfig;
191 : const mozilla::TimeDuration mOCSPTimeoutSoft;
192 : const mozilla::TimeDuration mOCSPTimeoutHard;
193 : const uint32_t mCertShortLifetimeInDays;
194 : CertVerifier::PinningMode mPinningMode;
195 : const unsigned int mMinRSABits;
196 : ValidityCheckingMode mValidityCheckingMode;
197 : CertVerifier::SHA1Mode mSHA1Mode;
198 : NetscapeStepUpPolicy mNetscapeStepUpPolicy;
199 : const OriginAttributes& mOriginAttributes;
200 : UniqueCERTCertList& mBuiltChain; // non-owning
201 : UniqueCERTCertList* mPeerCertChain; // non-owning
202 : PinningTelemetryInfo* mPinningTelemetryInfo;
203 : const char* mHostname; // non-owning - only used for pinning checks
204 : nsCOMPtr<nsICertBlocklist> mCertBlocklist;
205 : CertVerifier::OCSPStaplingStatus mOCSPStaplingStatus;
206 : // Certificate Transparency data extracted during certificate verification
207 : UniqueSECItem mSCTListFromCertificate;
208 : UniqueSECItem mSCTListFromOCSPStapling;
209 : };
210 :
211 : } } // namespace mozilla::psm
212 :
213 : #endif // NSSCertDBTrustDomain_h
|
