security/manager/ssl/SSLServerCertVerification.h

   1 /* -*- Mode: C++; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*-
   2  *
   3  * This Source Code Form is subject to the terms of the Mozilla Public
   4  * License, v. 2.0. If a copy of the MPL was not distributed with this
   5  * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
   6 #ifndef _SSLSERVERCERTVERIFICATION_H
   7 #define _SSLSERVERCERTVERIFICATION_H
   8
   9 #include "CertVerifier.h"
  10 #include "CommonSocketControl.h"
  11 #include "ScopedNSSTypes.h"
  12 #include "mozilla/Maybe.h"
  13 #include "mozpkix/pkix.h"
  14 #include "nsITransportSecurityInfo.h"
  15 #include "nsIX509Cert.h"
  16 #include "nsTArray.h"
  17 #include "nsThreadUtils.h"
  18 #include "prerror.h"
  19 #include "prio.h"
  20 #include "seccomon.h"
  21 #include "secoidt.h"
  22
  23 using namespace mozilla::pkix;
  24
  25 namespace mozilla {
  26 namespace psm {
  27
  28 enum class EVStatus : uint8_t;
  29
  30 SECStatus AuthCertificateHook(void* arg, PRFileDesc* fd, PRBool checkSig,
  31                               PRBool isServer);
  32
  33 // This function triggers the certificate verification. The verification is
  34 // asynchronous and the info object will be notified when the verification has
  35 // completed via SetCertVerificationResult.
  36 SECStatus AuthCertificateHookWithInfo(
  37     CommonSocketControl* socketControl, const nsACString& aHostName,
  38     const void* aPtrForLogging, nsTArray<nsTArray<uint8_t>>&& peerCertChain,
  39     Maybe<nsTArray<nsTArray<uint8_t>>>& stapledOCSPResponses,
  40     Maybe<nsTArray<uint8_t>>& sctsFromTLSExtension, uint32_t providerFlags);
  41
  42 // Base class for dispatching the certificate verification result.
  43 class BaseSSLServerCertVerificationResult {
  44  public:
  45   NS_INLINE_DECL_PURE_VIRTUAL_REFCOUNTING
  46
  47   [[nodiscard]] virtual nsresult Dispatch(
  48       nsTArray<nsTArray<uint8_t>>&& aBuiltChain,
  49       nsTArray<nsTArray<uint8_t>>&& aPeerCertChain,
  50       uint16_t aCertificateTransparencyStatus, EVStatus aEVStatus,
  51       bool aSucceeded, PRErrorCode aFinalError,
  52       nsITransportSecurityInfo::OverridableErrorCategory
  53           aOverridableErrorCategory,
  54       bool aIsBuiltCertChainRootBuiltInRoot, uint32_t aProviderFlags,
  55       bool aMadeOCSPRequests) = 0;
  56 };
  57
  58 // Dispatched to the STS thread to notify the infoObject of the verification
  59 // result.
  60 //
  61 // This will cause the PR_Poll in the STS thread to return, so things work
  62 // correctly even if the STS thread is blocked polling (only) on the file
  63 // descriptor that is waiting for this result.
  64 class SSLServerCertVerificationResult final
  65     : public BaseSSLServerCertVerificationResult,
  66       public Runnable {
  67  public:
  68   NS_DECL_ISUPPORTS_INHERITED
  69   NS_DECL_NSIRUNNABLE
  70
  71   explicit SSLServerCertVerificationResult(CommonSocketControl* socketControl);
  72
  73   [[nodiscard]] nsresult Dispatch(
  74       nsTArray<nsTArray<uint8_t>>&& aBuiltChain,
  75       nsTArray<nsTArray<uint8_t>>&& aPeerCertChain,
  76       uint16_t aCertificateTransparencyStatus, EVStatus aEVStatus,
  77       bool aSucceeded, PRErrorCode aFinalError,
  78       nsITransportSecurityInfo::OverridableErrorCategory
  79           aOverridableErrorCategory,
  80       bool aIsBuiltCertChainRootBuiltInRoot, uint32_t aProviderFlags,
  81       bool aMadeOCSPRequests) override;
  82
  83  private:
  84   ~SSLServerCertVerificationResult() = default;
  85
  86   RefPtr<CommonSocketControl> mSocketControl;
  87   nsTArray<nsTArray<uint8_t>> mBuiltChain;
  88   nsTArray<nsTArray<uint8_t>> mPeerCertChain;
  89   uint16_t mCertificateTransparencyStatus;
  90   EVStatus mEVStatus;
  91   bool mSucceeded;
  92   PRErrorCode mFinalError;
  93   nsITransportSecurityInfo::OverridableErrorCategory mOverridableErrorCategory;
  94   bool mIsBuiltCertChainRootBuiltInRoot;
  95   uint32_t mProviderFlags;
  96   bool mMadeOCSPRequests;
  97 };
  98
  99 class SSLServerCertVerificationJob : public Runnable {
 100  public:
 101   SSLServerCertVerificationJob(const SSLServerCertVerificationJob&) = delete;
 102
 103   // Must be called only on the socket transport thread
 104   static SECStatus Dispatch(uint64_t addrForLogging, void* aPinArg,
 105                             nsTArray<nsTArray<uint8_t>>&& peerCertChain,
 106                             const nsACString& aHostName, int32_t aPort,
 107                             const OriginAttributes& aOriginAttributes,
 108                             Maybe<nsTArray<uint8_t>>& stapledOCSPResponse,
 109                             Maybe<nsTArray<uint8_t>>& sctsFromTLSExtension,
 110                             Maybe<DelegatedCredentialInfo>& dcInfo,
 111                             uint32_t providerFlags, Time time,
 112                             uint32_t certVerifierFlags,
 113                             BaseSSLServerCertVerificationResult* aResultTask);
 114
 115  private:
 116   NS_DECL_NSIRUNNABLE
 117
 118   // Must be called only on the socket transport thread
 119   SSLServerCertVerificationJob(uint64_t addrForLogging, void* aPinArg,
 120                                nsTArray<nsTArray<uint8_t>>&& peerCertChain,
 121                                const nsACString& aHostName, int32_t aPort,
 122                                const OriginAttributes& aOriginAttributes,
 123                                Maybe<nsTArray<uint8_t>>& stapledOCSPResponse,
 124                                Maybe<nsTArray<uint8_t>>& sctsFromTLSExtension,
 125                                Maybe<DelegatedCredentialInfo>& dcInfo,
 126                                uint32_t providerFlags, Time time,
 127                                uint32_t certVerifierFlags,
 128                                BaseSSLServerCertVerificationResult* aResultTask)
 129       : Runnable("psm::SSLServerCertVerificationJob"),
 130         mAddrForLogging(addrForLogging),
 131         mPinArg(aPinArg),
 132         mPeerCertChain(std::move(peerCertChain)),
 133         mHostName(aHostName),
 134         mPort(aPort),
 135         mOriginAttributes(aOriginAttributes),
 136         mProviderFlags(providerFlags),
 137         mCertVerifierFlags(certVerifierFlags),
 138         mTime(time),
 139         mStapledOCSPResponse(std::move(stapledOCSPResponse)),
 140         mSCTsFromTLSExtension(std::move(sctsFromTLSExtension)),
 141         mDCInfo(std::move(dcInfo)),
 142         mResultTask(aResultTask) {}
 143
 144   uint64_t mAddrForLogging;
 145   void* mPinArg;
 146   nsTArray<nsTArray<uint8_t>> mPeerCertChain;
 147   nsCString mHostName;
 148   int32_t mPort;
 149   OriginAttributes mOriginAttributes;
 150   const uint32_t mProviderFlags;
 151   const uint32_t mCertVerifierFlags;
 152   const Time mTime;
 153   Maybe<nsTArray<uint8_t>> mStapledOCSPResponse;
 154   Maybe<nsTArray<uint8_t>> mSCTsFromTLSExtension;
 155   Maybe<DelegatedCredentialInfo> mDCInfo;
 156   RefPtr<BaseSSLServerCertVerificationResult> mResultTask;
 157 };
 158
 159 }  // namespace psm
 160 }  // namespace mozilla
 161
 162 #endif