1 /* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
2 /* vim: set ts=8 sts=2 et sw=2 tw=80: */
3 /* This Source Code Form is subject to the terms of the Mozilla Public
4 * License, v. 2.0. If a copy of the MPL was not distributed with this
5 * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
7 #ifndef NSSCertDBTrustDomain_h
8 #define NSSCertDBTrustDomain_h
10 #include "CertVerifier.h"
11 #include "CRLiteTimestamp.h"
12 #include "ScopedNSSTypes.h"
13 #include "mozilla/BasePrincipal.h"
14 #include "mozilla/TimeStamp.h"
15 #include "mozpkix/pkixtypes.h"
16 #include "nsICertStorage.h"
23 enum class ValidityCheckingMode
{
28 enum class NSSDBConfig
{
33 enum class PKCS11DBConfig
{
38 // Policy options for matching id-Netscape-stepUp with id-kp-serverAuth (for CA
39 // certificates only):
40 // * Always match: the step-up OID is considered equivalent to serverAuth
41 // * Match before 23 August 2016: the OID is considered equivalent if the
42 // certificate's notBefore is before 23 August 2016
43 // * Match before 23 August 2015: similarly, but for 23 August 2015
44 // * Never match: the OID is never considered equivalent to serverAuth
45 enum class NetscapeStepUpPolicy
: uint32_t {
47 MatchBefore23August2016
= 1,
48 MatchBefore23August2015
= 2,
52 enum class OCSPFetchStatus
: uint16_t {
57 // Helper struct to associate the DER bytes of a potential issuer certificate
58 // with its source (i.e. where it came from).
59 struct IssuerCandidateWithSource
{
60 mozilla::pkix::Input mDER
; // non-owning
61 IssuerSource mIssuerSource
;
64 SECStatus
InitializeNSS(const nsACString
& dir
, NSSDBConfig nssDbConfig
,
65 PKCS11DBConfig pkcs11DbConfig
);
70 * Loads root certificates from a module.
73 * The path to the directory containing the NSS builtin roots module.
74 * Usually the same as the path to the other NSS shared libraries.
75 * If empty, the (library) path will be searched.
76 * @return true if the roots were successfully loaded, false otherwise.
78 bool LoadLoadableRoots(const nsCString
& dir
);
81 * Loads the OS client certs module.
84 * The path to the directory containing the module. This should be the
85 * same as where all of the other gecko libraries live.
86 * @return true if the module was successfully loaded, false otherwise.
88 bool LoadOSClientCertsModule(const nsCString
& dir
);
90 extern const char* kOSClientCertsModuleName
;
93 * Loads the IPC client certs module.
96 * The path to the directory containing the module. This should be the
97 * same as where all of the other gecko libraries live.
98 * @return true if the module was successfully loaded, false otherwise.
100 bool LoadIPCClientCertsModule(const nsCString
& dir
);
102 extern const char* kIPCClientCertsModuleName
;
105 * Unloads the loadable roots module and os client certs module, if loaded.
107 void UnloadUserModules();
109 nsresult
DefaultServerNicknameForCert(const CERTCertificate
* cert
,
110 /*out*/ nsCString
& nickname
);
113 * Build nsTArray<uint8_t>s out of the issuer, serial, subject and public key
114 * data from the supplied certificate for use in revocation checks.
117 * The Input that references the encoded bytes of the certificate.
118 * @param endEntityOrCA
119 * Whether the certificate is an end-entity or CA.
120 * @param out encIssuer
121 * The array to populate with issuer data.
122 * @param out encSerial
123 * The array to populate with serial number data.
124 * @param out encSubject
125 * The array to populate with subject data.
126 * @param out encPubKey
127 * The array to populate with public key data.
129 * Result::Success, unless there's a problem decoding the certificate.
131 pkix::Result
BuildRevocationCheckArrays(pkix::Input certDER
,
132 pkix::EndEntityOrCA endEntityOrCA
,
133 /*out*/ nsTArray
<uint8_t>& issuerBytes
,
134 /*out*/ nsTArray
<uint8_t>& serialBytes
,
135 /*out*/ nsTArray
<uint8_t>& subjectBytes
,
136 /*out*/ nsTArray
<uint8_t>& pubKeyBytes
);
138 void SaveIntermediateCerts(const nsTArray
<nsTArray
<uint8_t>>& certList
);
140 class NSSCertDBTrustDomain
: public mozilla::pkix::TrustDomain
{
142 typedef mozilla::pkix::Result Result
;
146 FetchOCSPForDVSoftFail
= 1,
147 FetchOCSPForDVHardFail
= 2,
149 LocalOnlyOCSPForEV
= 4,
152 NSSCertDBTrustDomain(
153 SECTrustType certDBTrustType
, OCSPFetching ocspFetching
,
154 OCSPCache
& ocspCache
, void* pinArg
, mozilla::TimeDuration ocspTimeoutSoft
,
155 mozilla::TimeDuration ocspTimeoutHard
, uint32_t certShortLifetimeInDays
,
156 unsigned int minRSABits
, ValidityCheckingMode validityCheckingMode
,
157 NetscapeStepUpPolicy netscapeStepUpPolicy
, CRLiteMode crliteMode
,
158 const OriginAttributes
& originAttributes
,
159 const nsTArray
<mozilla::pkix::Input
>& thirdPartyRootInputs
,
160 const nsTArray
<mozilla::pkix::Input
>& thirdPartyIntermediateInputs
,
161 const Maybe
<nsTArray
<nsTArray
<uint8_t>>>& extraCertificates
,
162 /*out*/ nsTArray
<nsTArray
<uint8_t>>& builtChain
,
163 /*optional*/ PinningTelemetryInfo
* pinningTelemetryInfo
= nullptr,
164 /*optional*/ const char* hostname
= nullptr);
166 virtual Result
FindIssuer(mozilla::pkix::Input encodedIssuerName
,
167 IssuerChecker
& checker
,
168 mozilla::pkix::Time time
) override
;
170 virtual Result
GetCertTrust(
171 mozilla::pkix::EndEntityOrCA endEntityOrCA
,
172 const mozilla::pkix::CertPolicyId
& policy
,
173 mozilla::pkix::Input candidateCertDER
,
174 /*out*/ mozilla::pkix::TrustLevel
& trustLevel
) override
;
176 virtual Result
CheckSignatureDigestAlgorithm(
177 mozilla::pkix::DigestAlgorithm digestAlg
,
178 mozilla::pkix::EndEntityOrCA endEntityOrCA
,
179 mozilla::pkix::Time notBefore
) override
;
181 virtual Result
CheckRSAPublicKeyModulusSizeInBits(
182 mozilla::pkix::EndEntityOrCA endEntityOrCA
,
183 unsigned int modulusSizeInBits
) override
;
185 virtual Result
VerifyRSAPKCS1SignedData(
186 mozilla::pkix::Input data
, mozilla::pkix::DigestAlgorithm digestAlgorithm
,
187 mozilla::pkix::Input signature
,
188 mozilla::pkix::Input subjectPublicKeyInfo
) override
;
190 virtual Result
VerifyRSAPSSSignedData(
191 mozilla::pkix::Input data
, mozilla::pkix::DigestAlgorithm digestAlgorithm
,
192 mozilla::pkix::Input signature
,
193 mozilla::pkix::Input subjectPublicKeyInfo
) override
;
195 virtual Result
CheckECDSACurveIsAcceptable(
196 mozilla::pkix::EndEntityOrCA endEntityOrCA
,
197 mozilla::pkix::NamedCurve curve
) override
;
199 virtual Result
VerifyECDSASignedData(
200 mozilla::pkix::Input data
, mozilla::pkix::DigestAlgorithm digestAlgorithm
,
201 mozilla::pkix::Input signature
,
202 mozilla::pkix::Input subjectPublicKeyInfo
) override
;
204 virtual Result
DigestBuf(mozilla::pkix::Input item
,
205 mozilla::pkix::DigestAlgorithm digestAlg
,
206 /*out*/ uint8_t* digestBuf
,
207 size_t digestBufLen
) override
;
209 virtual Result
CheckValidityIsAcceptable(
210 mozilla::pkix::Time notBefore
, mozilla::pkix::Time notAfter
,
211 mozilla::pkix::EndEntityOrCA endEntityOrCA
,
212 mozilla::pkix::KeyPurposeId keyPurpose
) override
;
214 virtual Result
NetscapeStepUpMatchesServerAuth(
215 mozilla::pkix::Time notBefore
,
216 /*out*/ bool& matches
) override
;
218 virtual Result
CheckRevocation(
219 mozilla::pkix::EndEntityOrCA endEntityOrCA
,
220 const mozilla::pkix::CertID
& certID
, mozilla::pkix::Time time
,
221 mozilla::pkix::Duration validityDuration
,
222 /*optional*/ const mozilla::pkix::Input
* stapledOCSPResponse
,
223 /*optional*/ const mozilla::pkix::Input
* aiaExtension
,
224 /*optional*/ const mozilla::pkix::Input
* sctExtension
) override
;
226 virtual Result
IsChainValid(
227 const mozilla::pkix::DERArray
& certChain
, mozilla::pkix::Time time
,
228 const mozilla::pkix::CertPolicyId
& requiredPolicy
) override
;
230 virtual void NoteAuxiliaryExtension(
231 mozilla::pkix::AuxiliaryExtension extension
,
232 mozilla::pkix::Input extensionData
) override
;
234 // Resets the OCSP stapling status and SCT lists accumulated during
235 // the chain building.
236 void ResetAccumulatedState();
238 CertVerifier::OCSPStaplingStatus
GetOCSPStaplingStatus() const {
239 return mOCSPStaplingStatus
;
242 // SCT lists (see Certificate Transparency) extracted during
243 // certificate verification. Note that the returned Inputs are invalidated
244 // the next time a chain is built and by ResetAccumulatedState method
245 // (and when the TrustDomain object is destroyed).
247 mozilla::pkix::Input
GetSCTListFromCertificate() const;
248 mozilla::pkix::Input
GetSCTListFromOCSPStapling() const;
250 bool GetIsBuiltChainRootBuiltInRoot() const;
252 bool GetIsErrorDueToDistrustedCAPolicy() const;
254 OCSPFetchStatus
GetOCSPFetchStatus() { return mOCSPFetchStatus
; }
255 IssuerSources
GetIssuerSources() { return mIssuerSources
; }
258 Result
CheckCRLiteStash(
259 const nsTArray
<uint8_t>& issuerSubjectPublicKeyInfoBytes
,
260 const nsTArray
<uint8_t>& serialNumberBytes
);
262 const nsTArray
<uint8_t>& issuerBytes
,
263 const nsTArray
<uint8_t>& issuerSubjectPublicKeyInfoBytes
,
264 const nsTArray
<uint8_t>& serialNumberBytes
,
265 const nsTArray
<RefPtr
<nsICRLiteTimestamp
>>& crliteTimestamps
,
266 bool& filterCoversCertificate
);
268 enum EncodedResponseSource
{
269 ResponseIsFromNetwork
= 1,
270 ResponseWasStapled
= 2
272 Result
VerifyAndMaybeCacheEncodedOCSPResponse(
273 const mozilla::pkix::CertID
& certID
, mozilla::pkix::Time time
,
274 uint16_t maxLifetimeInDays
, mozilla::pkix::Input encodedResponse
,
275 EncodedResponseSource responseSource
, /*out*/ bool& expired
);
276 TimeDuration
GetOCSPTimeout() const;
278 Result
CheckRevocationByCRLite(const mozilla::pkix::CertID
& certID
,
279 const mozilla::pkix::Input
& sctExtension
,
280 /*out*/ bool& crliteCoversCertificate
);
282 Result
CheckRevocationByOCSP(
283 const mozilla::pkix::CertID
& certID
, mozilla::pkix::Time time
,
284 mozilla::pkix::Duration validityDuration
, const nsCString
& aiaLocation
,
285 const bool crliteCoversCertificate
, const Result crliteResult
,
286 /*optional*/ const mozilla::pkix::Input
* stapledOCSPResponse
,
287 /*out*/ bool& softFailure
);
289 Result
SynchronousCheckRevocationWithServer(
290 const mozilla::pkix::CertID
& certID
, const nsCString
& aiaLocation
,
291 mozilla::pkix::Time time
, uint16_t maxOCSPLifetimeInDays
,
292 const Result cachedResponseResult
, const Result stapledOCSPResponseResult
,
293 const bool crliteFilterCoversCertificate
, const Result crliteResult
,
294 /*out*/ bool& softFailure
);
295 Result
HandleOCSPFailure(const Result cachedResponseResult
,
296 const Result stapledOCSPResponseResult
,
298 /*out*/ bool& softFailure
);
300 bool ShouldSkipSelfSignedNonTrustAnchor(mozilla::pkix::Input certDER
);
301 Result
CheckCandidates(IssuerChecker
& checker
,
302 nsTArray
<IssuerCandidateWithSource
>& candidates
,
303 mozilla::pkix::Input
* nameConstraintsInputPtr
,
306 const SECTrustType mCertDBTrustType
;
307 const OCSPFetching mOCSPFetching
;
308 OCSPCache
& mOCSPCache
; // non-owning!
309 void* mPinArg
; // non-owning!
310 const mozilla::TimeDuration mOCSPTimeoutSoft
;
311 const mozilla::TimeDuration mOCSPTimeoutHard
;
312 const uint32_t mCertShortLifetimeInDays
;
313 const unsigned int mMinRSABits
;
314 ValidityCheckingMode mValidityCheckingMode
;
315 NetscapeStepUpPolicy mNetscapeStepUpPolicy
;
316 CRLiteMode mCRLiteMode
;
317 bool mSawDistrustedCAByPolicyError
;
318 const OriginAttributes
& mOriginAttributes
;
319 const nsTArray
<mozilla::pkix::Input
>& mThirdPartyRootInputs
; // non-owning
320 const nsTArray
<mozilla::pkix::Input
>&
321 mThirdPartyIntermediateInputs
; // non-owning
322 const Maybe
<nsTArray
<nsTArray
<uint8_t>>>& mExtraCertificates
; // non-owning
323 nsTArray
<nsTArray
<uint8_t>>& mBuiltChain
; // non-owning
324 bool mIsBuiltChainRootBuiltInRoot
;
325 PinningTelemetryInfo
* mPinningTelemetryInfo
;
326 const char* mHostname
; // non-owning - only used for pinning checks
327 nsCOMPtr
<nsICertStorage
> mCertStorage
;
328 CertVerifier::OCSPStaplingStatus mOCSPStaplingStatus
;
329 // Certificate Transparency data extracted during certificate verification
330 UniqueSECItem mSCTListFromCertificate
;
331 UniqueSECItem mSCTListFromOCSPStapling
;
333 // The built-in roots module, if available.
334 UniqueSECMODModule mBuiltInRootsModule
;
336 OCSPFetchStatus mOCSPFetchStatus
;
337 IssuerSources mIssuerSources
;
341 } // namespace mozilla
343 #endif // NSSCertDBTrustDomain_h