search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Bug 1037316 part 1 - Return the same object when updating animations; r=dbaron
[gecko.git] / security / apps / AppTrustDomain.cpp
blob4789ad02845bc3cd554cf512d11104f03d531b7a
1 /* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
2 /* vim: set ts=8 sts=2 et sw=2 tw=80: */
3 /* This Source Code Form is subject to the terms of the Mozilla Public
4 * License, v. 2.0. If a copy of the MPL was not distributed with this
5 * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
6
7 #ifdef MOZ_LOGGING
8 #define FORCE_PR_LOG 1
9 #endif
10
11 #include "AppTrustDomain.h"
12 #include "certdb.h"
13 #include "pkix/pkix.h"
14 #include "mozilla/ArrayUtils.h"
15 #include "nsIX509CertDB.h"
16 #include "nsNSSCertificate.h"
17 #include "prerror.h"
18 #include "secerr.h"
19
20 // Generated in Makefile.in
21 #include "marketplace-prod-public.inc"
22 #include "marketplace-prod-reviewers.inc"
23 #include "marketplace-dev-public.inc"
24 #include "marketplace-dev-reviewers.inc"
25 #include "xpcshell.inc"
26
27 using namespace mozilla::pkix;
28
29 #ifdef PR_LOGGING
30 extern PRLogModuleInfo* gPIPNSSLog;
31 #endif
32
33 namespace mozilla { namespace psm {
34
35 AppTrustDomain::AppTrustDomain(ScopedCERTCertList& certChain, void* pinArg)
36 : mCertChain(certChain)
37 , mPinArg(pinArg)
38 {
39 }
40
41 SECStatus
42 AppTrustDomain::SetTrustedRoot(AppTrustedRoot trustedRoot)
43 {
44 SECItem trustedDER;
45
46 // Load the trusted certificate into the in-memory NSS database so that
47 // CERT_CreateSubjectCertList can find it.
48
49 switch (trustedRoot)
50 {
51 case nsIX509CertDB::AppMarketplaceProdPublicRoot:
52 trustedDER.data = const_cast<uint8_t*>(marketplaceProdPublicRoot);
53 trustedDER.len = mozilla::ArrayLength(marketplaceProdPublicRoot);
54 break;
55
56 case nsIX509CertDB::AppMarketplaceProdReviewersRoot:
57 trustedDER.data = const_cast<uint8_t*>(marketplaceProdReviewersRoot);
58 trustedDER.len = mozilla::ArrayLength(marketplaceProdReviewersRoot);
59 break;
60
61 case nsIX509CertDB::AppMarketplaceDevPublicRoot:
62 trustedDER.data = const_cast<uint8_t*>(marketplaceDevPublicRoot);
63 trustedDER.len = mozilla::ArrayLength(marketplaceDevPublicRoot);
64 break;
65
66 case nsIX509CertDB::AppMarketplaceDevReviewersRoot:
67 trustedDER.data = const_cast<uint8_t*>(marketplaceDevReviewersRoot);
68 trustedDER.len = mozilla::ArrayLength(marketplaceDevReviewersRoot);
69 break;
70
71 case nsIX509CertDB::AppXPCShellRoot:
72 trustedDER.data = const_cast<uint8_t*>(xpcshellRoot);
73 trustedDER.len = mozilla::ArrayLength(xpcshellRoot);
74 break;
75
76 default:
77 PR_SetError(SEC_ERROR_INVALID_ARGS, 0);
78 return SECFailure;
79 }
80
81 mTrustedRoot = CERT_NewTempCertificate(CERT_GetDefaultCertDB(),
82 &trustedDER, nullptr, false, true);
83 if (!mTrustedRoot) {
84 return SECFailure;
85 }
86
87 return SECSuccess;
88 }
89
90 SECStatus
91 AppTrustDomain::FindIssuer(const SECItem& encodedIssuerName,
92 IssuerChecker& checker, PRTime time)
93
94 {
95 MOZ_ASSERT(mTrustedRoot);
96 if (!mTrustedRoot) {
97 PR_SetError(PR_INVALID_STATE_ERROR, 0);
98 return SECFailure;
99 }
100
101 // TODO(bug 1035418): If/when mozilla::pkix relaxes the restriction that
102 // FindIssuer must only pass certificates with a matching subject name to
103 // checker.Check, we can stop using CERT_CreateSubjectCertList and instead
104 // use logic like this:
105 //
106 // 1. First, try the trusted trust anchor.
107 // 2. Secondly, iterate through the certificates that were stored in the CMS
108 // message, passing each one to checker.Check.
109 ScopedCERTCertList
110 candidates(CERT_CreateSubjectCertList(nullptr, CERT_GetDefaultCertDB(),
111 &encodedIssuerName, time, true));
112 if (candidates) {
113 for (CERTCertListNode* n = CERT_LIST_HEAD(candidates);
114 !CERT_LIST_END(n, candidates); n = CERT_LIST_NEXT(n)) {
115 bool keepGoing;
116 SECStatus srv = checker.Check(n->cert->derCert,
117 nullptr/*additionalNameConstraints*/,
118 keepGoing);
119 if (srv != SECSuccess) {
120 return SECFailure;
121 }
122 if (!keepGoing) {
123 break;
124 }
125 }
126 }
127
128 return SECSuccess;
129 }
130
131 SECStatus
132 AppTrustDomain::GetCertTrust(EndEntityOrCA endEntityOrCA,
133 const CertPolicyId& policy,
134 const SECItem& candidateCertDER,
135 /*out*/ TrustLevel* trustLevel)
136 {
137 MOZ_ASSERT(policy.IsAnyPolicy());
138 MOZ_ASSERT(trustLevel);
139 MOZ_ASSERT(mTrustedRoot);
140 if (!trustLevel || !policy.IsAnyPolicy()) {
141 PR_SetError(SEC_ERROR_INVALID_ARGS, 0);
142 return SECFailure;
143 }
144 if (!mTrustedRoot) {
145 PR_SetError(PR_INVALID_STATE_ERROR, 0);
146 return SECFailure;
147 }
148
149 // Handle active distrust of the certificate.
150
151 // XXX: This would be cleaner and more efficient if we could get the trust
152 // information without constructing a CERTCertificate here, but NSS doesn't
153 // expose it in any other easy-to-use fashion.
154 ScopedCERTCertificate candidateCert(
155 CERT_NewTempCertificate(CERT_GetDefaultCertDB(),
156 const_cast<SECItem*>(&candidateCertDER), nullptr,
157 false, true));
158 if (!candidateCert) {
159 return SECFailure;
160 }
161
162 CERTCertTrust trust;
163 if (CERT_GetCertTrust(candidateCert.get(), &trust) == SECSuccess) {
164 PRUint32 flags = SEC_GET_TRUST_FLAGS(&trust, trustObjectSigning);
165
166 // For DISTRUST, we use the CERTDB_TRUSTED or CERTDB_TRUSTED_CA bit,
167 // because we can have active distrust for either type of cert. Note that
168 // CERTDB_TERMINAL_RECORD means "stop trying to inherit trust" so if the
169 // relevant trust bit isn't set then that means the cert must be considered
170 // distrusted.
171 PRUint32 relevantTrustBit = endEntityOrCA == EndEntityOrCA::MustBeCA
172 ? CERTDB_TRUSTED_CA
173 : CERTDB_TRUSTED;
174 if (((flags & (relevantTrustBit | CERTDB_TERMINAL_RECORD)))
175 == CERTDB_TERMINAL_RECORD) {
176 *trustLevel = TrustLevel::ActivelyDistrusted;
177 return SECSuccess;
178 }
179 }
180
181 // mTrustedRoot is the only trust anchor for this validation.
182 if (CERT_CompareCerts(mTrustedRoot.get(), candidateCert.get())) {
183 *trustLevel = TrustLevel::TrustAnchor;
184 return SECSuccess;
185 }
186
187 *trustLevel = TrustLevel::InheritsTrust;
188 return SECSuccess;
189 }
190
191 SECStatus
192 AppTrustDomain::VerifySignedData(const SignedDataWithSignature& signedData,
193 const SECItem& subjectPublicKeyInfo)
194 {
195 return ::mozilla::pkix::VerifySignedData(signedData, subjectPublicKeyInfo,
196 mPinArg);
197 }
198
199 SECStatus
200 AppTrustDomain::DigestBuf(const SECItem& item, /*out*/ uint8_t* digestBuf,
201 size_t digestBufLen)
202 {
203 return ::mozilla::pkix::DigestBuf(item, digestBuf, digestBufLen);
204 }
205
206 SECStatus
207 AppTrustDomain::CheckRevocation(EndEntityOrCA, const CertID&, PRTime time,
208 /*optional*/ const SECItem*,
209 /*optional*/ const SECItem*)
210 {
211 // We don't currently do revocation checking. If we need to distrust an Apps
212 // certificate, we will use the active distrust mechanism.
213 return SECSuccess;
214 }
215
216 SECStatus
217 AppTrustDomain::IsChainValid(const DERArray& certChain)
218 {
219 return ConstructCERTCertListFromReversedDERArray(certChain, mCertChain);
220 }
221
222 SECStatus
223 AppTrustDomain::CheckPublicKey(const SECItem& subjectPublicKeyInfo)
224 {
225 return ::mozilla::pkix::CheckPublicKey(subjectPublicKeyInfo);
226 }
227
228 } } // namespace mozilla::psm