search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Bug 1883912: Enable Intl.ListFormat test for "unit" style. r=spidermonkey-reviewers...
[gecko.git] / security / certverifier / NSSCertDBTrustDomain.h
bloba21908233977162bedcb79299c70861228386146
1 /* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
2 /* vim: set ts=8 sts=2 et sw=2 tw=80: */
3 /* This Source Code Form is subject to the terms of the Mozilla Public
4 * License, v. 2.0. If a copy of the MPL was not distributed with this
5 * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
6
7 #ifndef NSSCertDBTrustDomain_h
8 #define NSSCertDBTrustDomain_h
9
10 #include "CertVerifier.h"
11 #include "CRLiteTimestamp.h"
12 #include "ScopedNSSTypes.h"
13 #include "mozilla/BasePrincipal.h"
14 #include "mozilla/TimeStamp.h"
15 #include "mozpkix/pkixtypes.h"
16 #include "nsICertStorage.h"
17 #include "nsString.h"
18 #include "secmodt.h"
19
20 namespace mozilla {
21 namespace psm {
22
23 enum class ValidityCheckingMode {
24 CheckingOff = 0,
25 CheckForEV = 1,
26 };
27
28 enum class NSSDBConfig {
29 ReadWrite = 0,
30 ReadOnly = 1,
31 };
32
33 enum class PKCS11DBConfig {
34 DoNotLoadModules = 0,
35 LoadModules = 1,
36 };
37
38 // Policy options for matching id-Netscape-stepUp with id-kp-serverAuth (for CA
39 // certificates only):
40 // * Always match: the step-up OID is considered equivalent to serverAuth
41 // * Match before 23 August 2016: the OID is considered equivalent if the
42 // certificate's notBefore is before 23 August 2016
43 // * Match before 23 August 2015: similarly, but for 23 August 2015
44 // * Never match: the OID is never considered equivalent to serverAuth
45 enum class NetscapeStepUpPolicy : uint32_t {
46 AlwaysMatch = 0,
47 MatchBefore23August2016 = 1,
48 MatchBefore23August2015 = 2,
49 NeverMatch = 3,
50 };
51
52 enum class OCSPFetchStatus : uint16_t {
53 NotFetched = 0,
54 Fetched = 1,
55 };
56
57 // Helper struct to associate the DER bytes of a potential issuer certificate
58 // with its source (i.e. where it came from).
59 struct IssuerCandidateWithSource {
60 mozilla::pkix::Input mDER; // non-owning
61 IssuerSource mIssuerSource;
62 };
63
64 SECStatus InitializeNSS(const nsACString& dir, NSSDBConfig nssDbConfig,
65 PKCS11DBConfig pkcs11DbConfig);
66
67 void DisableMD5();
68
69 /**
70 * Loads root certificates from a module.
71 *
72 * @param dir
73 * The path to the directory containing the NSS builtin roots module.
74 * Usually the same as the path to the other NSS shared libraries.
75 * If empty, the (library) path will be searched.
76 * @return true if the roots were successfully loaded, false otherwise.
77 */
78 bool LoadLoadableRoots(const nsCString& dir);
79
80 /**
81 * Loads the OS client certs module.
82 *
83 * @param dir
84 * The path to the directory containing the module. This should be the
85 * same as where all of the other gecko libraries live.
86 * @return true if the module was successfully loaded, false otherwise.
87 */
88 bool LoadOSClientCertsModule(const nsCString& dir);
89
90 extern const char* kOSClientCertsModuleName;
91
92 /**
93 * Loads the IPC client certs module.
94 *
95 * @param dir
96 * The path to the directory containing the module. This should be the
97 * same as where all of the other gecko libraries live.
98 * @return true if the module was successfully loaded, false otherwise.
99 */
100 bool LoadIPCClientCertsModule(const nsCString& dir);
101
102 extern const char* kIPCClientCertsModuleName;
103
104 /**
105 * Unloads the loadable roots module and os client certs module, if loaded.
106 */
107 void UnloadUserModules();
108
109 nsresult DefaultServerNicknameForCert(const CERTCertificate* cert,
110 /*out*/ nsCString& nickname);
111
112 /**
113 * Build nsTArray<uint8_t>s out of the issuer, serial, subject and public key
114 * data from the supplied certificate for use in revocation checks.
115 *
116 * @param certDER
117 * The Input that references the encoded bytes of the certificate.
118 * @param endEntityOrCA
119 * Whether the certificate is an end-entity or CA.
120 * @param out encIssuer
121 * The array to populate with issuer data.
122 * @param out encSerial
123 * The array to populate with serial number data.
124 * @param out encSubject
125 * The array to populate with subject data.
126 * @param out encPubKey
127 * The array to populate with public key data.
128 * @return
129 * Result::Success, unless there's a problem decoding the certificate.
130 */
131 pkix::Result BuildRevocationCheckArrays(pkix::Input certDER,
132 pkix::EndEntityOrCA endEntityOrCA,
133 /*out*/ nsTArray<uint8_t>& issuerBytes,
134 /*out*/ nsTArray<uint8_t>& serialBytes,
135 /*out*/ nsTArray<uint8_t>& subjectBytes,
136 /*out*/ nsTArray<uint8_t>& pubKeyBytes);
137
138 void SaveIntermediateCerts(const nsTArray<nsTArray<uint8_t>>& certList);
139
140 class NSSCertDBTrustDomain : public mozilla::pkix::TrustDomain {
141 public:
142 typedef mozilla::pkix::Result Result;
143
144 enum OCSPFetching {
145 NeverFetchOCSP = 0,
146 FetchOCSPForDVSoftFail = 1,
147 FetchOCSPForDVHardFail = 2,
148 FetchOCSPForEV = 3,
149 LocalOnlyOCSPForEV = 4,
150 };
151
152 NSSCertDBTrustDomain(
153 SECTrustType certDBTrustType, OCSPFetching ocspFetching,
154 OCSPCache& ocspCache, void* pinArg, mozilla::TimeDuration ocspTimeoutSoft,
155 mozilla::TimeDuration ocspTimeoutHard, uint32_t certShortLifetimeInDays,
156 unsigned int minRSABits, ValidityCheckingMode validityCheckingMode,
157 NetscapeStepUpPolicy netscapeStepUpPolicy, CRLiteMode crliteMode,
158 const OriginAttributes& originAttributes,
159 const nsTArray<mozilla::pkix::Input>& thirdPartyRootInputs,
160 const nsTArray<mozilla::pkix::Input>& thirdPartyIntermediateInputs,
161 const Maybe<nsTArray<nsTArray<uint8_t>>>& extraCertificates,
162 /*out*/ nsTArray<nsTArray<uint8_t>>& builtChain,
163 /*optional*/ PinningTelemetryInfo* pinningTelemetryInfo = nullptr,
164 /*optional*/ const char* hostname = nullptr);
165
166 virtual Result FindIssuer(mozilla::pkix::Input encodedIssuerName,
167 IssuerChecker& checker,
168 mozilla::pkix::Time time) override;
169
170 virtual Result GetCertTrust(
171 mozilla::pkix::EndEntityOrCA endEntityOrCA,
172 const mozilla::pkix::CertPolicyId& policy,
173 mozilla::pkix::Input candidateCertDER,
174 /*out*/ mozilla::pkix::TrustLevel& trustLevel) override;
175
176 virtual Result CheckSignatureDigestAlgorithm(
177 mozilla::pkix::DigestAlgorithm digestAlg,
178 mozilla::pkix::EndEntityOrCA endEntityOrCA,
179 mozilla::pkix::Time notBefore) override;
180
181 virtual Result CheckRSAPublicKeyModulusSizeInBits(
182 mozilla::pkix::EndEntityOrCA endEntityOrCA,
183 unsigned int modulusSizeInBits) override;
184
185 virtual Result VerifyRSAPKCS1SignedData(
186 mozilla::pkix::Input data, mozilla::pkix::DigestAlgorithm digestAlgorithm,
187 mozilla::pkix::Input signature,
188 mozilla::pkix::Input subjectPublicKeyInfo) override;
189
190 virtual Result VerifyRSAPSSSignedData(
191 mozilla::pkix::Input data, mozilla::pkix::DigestAlgorithm digestAlgorithm,
192 mozilla::pkix::Input signature,
193 mozilla::pkix::Input subjectPublicKeyInfo) override;
194
195 virtual Result CheckECDSACurveIsAcceptable(
196 mozilla::pkix::EndEntityOrCA endEntityOrCA,
197 mozilla::pkix::NamedCurve curve) override;
198
199 virtual Result VerifyECDSASignedData(
200 mozilla::pkix::Input data, mozilla::pkix::DigestAlgorithm digestAlgorithm,
201 mozilla::pkix::Input signature,
202 mozilla::pkix::Input subjectPublicKeyInfo) override;
203
204 virtual Result DigestBuf(mozilla::pkix::Input item,
205 mozilla::pkix::DigestAlgorithm digestAlg,
206 /*out*/ uint8_t* digestBuf,
207 size_t digestBufLen) override;
208
209 virtual Result CheckValidityIsAcceptable(
210 mozilla::pkix::Time notBefore, mozilla::pkix::Time notAfter,
211 mozilla::pkix::EndEntityOrCA endEntityOrCA,
212 mozilla::pkix::KeyPurposeId keyPurpose) override;
213
214 virtual Result NetscapeStepUpMatchesServerAuth(
215 mozilla::pkix::Time notBefore,
216 /*out*/ bool& matches) override;
217
218 virtual Result CheckRevocation(
219 mozilla::pkix::EndEntityOrCA endEntityOrCA,
220 const mozilla::pkix::CertID& certID, mozilla::pkix::Time time,
221 mozilla::pkix::Duration validityDuration,
222 /*optional*/ const mozilla::pkix::Input* stapledOCSPResponse,
223 /*optional*/ const mozilla::pkix::Input* aiaExtension,
224 /*optional*/ const mozilla::pkix::Input* sctExtension) override;
225
226 virtual Result IsChainValid(
227 const mozilla::pkix::DERArray& certChain, mozilla::pkix::Time time,
228 const mozilla::pkix::CertPolicyId& requiredPolicy) override;
229
230 virtual void NoteAuxiliaryExtension(
231 mozilla::pkix::AuxiliaryExtension extension,
232 mozilla::pkix::Input extensionData) override;
233
234 // Resets the OCSP stapling status and SCT lists accumulated during
235 // the chain building.
236 void ResetAccumulatedState();
237
238 CertVerifier::OCSPStaplingStatus GetOCSPStaplingStatus() const {
239 return mOCSPStaplingStatus;
240 }
241
242 // SCT lists (see Certificate Transparency) extracted during
243 // certificate verification. Note that the returned Inputs are invalidated
244 // the next time a chain is built and by ResetAccumulatedState method
245 // (and when the TrustDomain object is destroyed).
246
247 mozilla::pkix::Input GetSCTListFromCertificate() const;
248 mozilla::pkix::Input GetSCTListFromOCSPStapling() const;
249
250 bool GetIsBuiltChainRootBuiltInRoot() const;
251
252 bool GetIsErrorDueToDistrustedCAPolicy() const;
253
254 OCSPFetchStatus GetOCSPFetchStatus() { return mOCSPFetchStatus; }
255 IssuerSources GetIssuerSources() { return mIssuerSources; }
256
257 private:
258 Result CheckCRLiteStash(
259 const nsTArray<uint8_t>& issuerSubjectPublicKeyInfoBytes,
260 const nsTArray<uint8_t>& serialNumberBytes);
261 Result CheckCRLite(
262 const nsTArray<uint8_t>& issuerBytes,
263 const nsTArray<uint8_t>& issuerSubjectPublicKeyInfoBytes,
264 const nsTArray<uint8_t>& serialNumberBytes,
265 const nsTArray<RefPtr<nsICRLiteTimestamp>>& crliteTimestamps,
266 bool& filterCoversCertificate);
267
268 enum EncodedResponseSource {
269 ResponseIsFromNetwork = 1,
270 ResponseWasStapled = 2
271 };
272 Result VerifyAndMaybeCacheEncodedOCSPResponse(
273 const mozilla::pkix::CertID& certID, mozilla::pkix::Time time,
274 uint16_t maxLifetimeInDays, mozilla::pkix::Input encodedResponse,
275 EncodedResponseSource responseSource, /*out*/ bool& expired);
276 TimeDuration GetOCSPTimeout() const;
277
278 Result CheckRevocationByCRLite(const mozilla::pkix::CertID& certID,
279 const mozilla::pkix::Input& sctExtension,
280 /*out*/ bool& crliteCoversCertificate);
281
282 Result CheckRevocationByOCSP(
283 const mozilla::pkix::CertID& certID, mozilla::pkix::Time time,
284 mozilla::pkix::Duration validityDuration, const nsCString& aiaLocation,
285 const bool crliteCoversCertificate, const Result crliteResult,
286 /*optional*/ const mozilla::pkix::Input* stapledOCSPResponse,
287 /*out*/ bool& softFailure);
288
289 Result SynchronousCheckRevocationWithServer(
290 const mozilla::pkix::CertID& certID, const nsCString& aiaLocation,
291 mozilla::pkix::Time time, uint16_t maxOCSPLifetimeInDays,
292 const Result cachedResponseResult, const Result stapledOCSPResponseResult,
293 const bool crliteFilterCoversCertificate, const Result crliteResult,
294 /*out*/ bool& softFailure);
295 Result HandleOCSPFailure(const Result cachedResponseResult,
296 const Result stapledOCSPResponseResult,
297 const Result error,
298 /*out*/ bool& softFailure);
299
300 bool ShouldSkipSelfSignedNonTrustAnchor(mozilla::pkix::Input certDER);
301 Result CheckCandidates(IssuerChecker& checker,
302 nsTArray<IssuerCandidateWithSource>& candidates,
303 mozilla::pkix::Input* nameConstraintsInputPtr,
304 bool& keepGoing);
305
306 const SECTrustType mCertDBTrustType;
307 const OCSPFetching mOCSPFetching;
308 OCSPCache& mOCSPCache; // non-owning!
309 void* mPinArg; // non-owning!
310 const mozilla::TimeDuration mOCSPTimeoutSoft;
311 const mozilla::TimeDuration mOCSPTimeoutHard;
312 const uint32_t mCertShortLifetimeInDays;
313 const unsigned int mMinRSABits;
314 ValidityCheckingMode mValidityCheckingMode;
315 NetscapeStepUpPolicy mNetscapeStepUpPolicy;
316 CRLiteMode mCRLiteMode;
317 bool mSawDistrustedCAByPolicyError;
318 const OriginAttributes& mOriginAttributes;
319 const nsTArray<mozilla::pkix::Input>& mThirdPartyRootInputs; // non-owning
320 const nsTArray<mozilla::pkix::Input>&
321 mThirdPartyIntermediateInputs; // non-owning
322 const Maybe<nsTArray<nsTArray<uint8_t>>>& mExtraCertificates; // non-owning
323 nsTArray<nsTArray<uint8_t>>& mBuiltChain; // non-owning
324 bool mIsBuiltChainRootBuiltInRoot;
325 PinningTelemetryInfo* mPinningTelemetryInfo;
326 const char* mHostname; // non-owning - only used for pinning checks
327 nsCOMPtr<nsICertStorage> mCertStorage;
328 CertVerifier::OCSPStaplingStatus mOCSPStaplingStatus;
329 // Certificate Transparency data extracted during certificate verification
330 UniqueSECItem mSCTListFromCertificate;
331 UniqueSECItem mSCTListFromOCSPStapling;
332
333 // The built-in roots module, if available.
334 UniqueSECMODModule mBuiltInRootsModule;
335
336 OCSPFetchStatus mOCSPFetchStatus;
337 IssuerSources mIssuerSources;
338 };
339
340 } // namespace psm
341 } // namespace mozilla
342
343 #endif // NSSCertDBTrustDomain_h