security/manager/ssl/TLSClientAuthCertSelection.h

   1 /* -*- Mode: C++; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*-
   2  *
   3  * This Source Code Form is subject to the terms of the Mozilla Public
   4  * License, v. 2.0. If a copy of the MPL was not distributed with this
   5  * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
   6
   7 #ifndef SECURITY_MANAGER_SSL_TLSCLIENTAUTHCERTSELECTION_H_
   8 #define SECURITY_MANAGER_SSL_TLSCLIENTAUTHCERTSELECTION_H_
   9
  10 #include "NSSSocketControl.h"
  11 #include "nsIX509Cert.h"
  12 #include "nsNSSIOLayer.h"
  13 #include "nsThreadUtils.h"
  14 #include "ssl.h"
  15
  16 class NSSSocketControl;
  17
  18 // NSS callback to select a client authentication certificate. See documentation
  19 // at the top of TLSClientAuthCertSelection.cpp.
  20 SECStatus SSLGetClientAuthDataHook(void* arg, PRFileDesc* socket,
  21                                    CERTDistNames* caNames,
  22                                    CERTCertificate** pRetCert,
  23                                    SECKEYPrivateKey** pRetKey);
  24
  25 // Base class for continuing the operation of selecting a client authentication
  26 // certificate. Should not be used directly.
  27 class ClientAuthCertificateSelectedBase : public mozilla::Runnable {
  28  public:
  29   ClientAuthCertificateSelectedBase()
  30       : Runnable("ClientAuthCertificateSelectedBase") {}
  31
  32   // Call to indicate that a client authentication certificate has been
  33   // selected.
  34   void SetSelectedClientAuthData(
  35       nsTArray<uint8_t>&& selectedCertBytes,
  36       nsTArray<nsTArray<uint8_t>>&& selectedCertChainBytes);
  37
  38  protected:
  39   nsTArray<uint8_t> mSelectedCertBytes;
  40   // The bytes of the certificates that form a chain from the selected
  41   // certificate to a root. Necessary so NSS can include them in the TLS
  42   // handshake (see note about mClientCertChain in NSSSocketControl).
  43   nsTArray<nsTArray<uint8_t>> mSelectedCertChainBytes;
  44 };
  45
  46 class ClientAuthCertificateSelected : public ClientAuthCertificateSelectedBase {
  47  public:
  48   explicit ClientAuthCertificateSelected(NSSSocketControl* socketInfo)
  49       : mSocketInfo(socketInfo) {}
  50
  51   NS_IMETHOD Run() override;
  52
  53  private:
  54   RefPtr<NSSSocketControl> mSocketInfo;
  55 };
  56
  57 // This class is used to store the needed information for invoking the client
  58 // cert selection UI.
  59 class ClientAuthInfo final {
  60  public:
  61   explicit ClientAuthInfo(const nsACString& hostName,
  62                           const mozilla::OriginAttributes& originAttributes,
  63                           int32_t port, uint32_t providerFlags,
  64                           uint32_t providerTlsFlags);
  65   ~ClientAuthInfo() = default;
  66   ClientAuthInfo(ClientAuthInfo&& aOther) noexcept;
  67
  68   const nsACString& HostName() const;
  69   const mozilla::OriginAttributes& OriginAttributesRef() const;
  70   int32_t Port() const;
  71   uint32_t ProviderFlags() const;
  72   uint32_t ProviderTlsFlags() const;
  73
  74   ClientAuthInfo(const ClientAuthInfo&) = delete;
  75   void operator=(const ClientAuthInfo&) = delete;
  76
  77  private:
  78   nsCString mHostName;
  79   mozilla::OriginAttributes mOriginAttributes;
  80   int32_t mPort;
  81   uint32_t mProviderFlags;
  82   uint32_t mProviderTlsFlags;
  83 };
  84
  85 // Helper runnable to select a client authentication certificate. Gets created
  86 // on the socket thread or an IPC thread, runs on the main thread, and then runs
  87 // its continuation on the socket thread.
  88 class SelectClientAuthCertificate : public mozilla::Runnable {
  89  public:
  90   SelectClientAuthCertificate(
  91       ClientAuthInfo&& info, mozilla::UniqueCERTCertificate&& serverCert,
  92       mozilla::UniqueCERTCertList&& potentialClientCertificates,
  93       nsTArray<nsTArray<nsTArray<uint8_t>>>&& potentialClientCertificateChains,
  94       ClientAuthCertificateSelectedBase* continuation, uint64_t browserId)
  95       : Runnable("SelectClientAuthCertificate"),
  96         mInfo(std::move(info)),
  97         mServerCert(std::move(serverCert)),
  98         mPotentialClientCertificates(std::move(potentialClientCertificates)),
  99         mPotentialClientCertificateChains(
 100             std::move(potentialClientCertificateChains)),
 101         mContinuation(continuation),
 102         mBrowserId(browserId) {}
 103
 104   NS_IMETHOD Run() override;
 105
 106   const ClientAuthInfo& Info() { return mInfo; }
 107   void DispatchContinuation(nsTArray<uint8_t>&& selectedCertBytes);
 108
 109  private:
 110   ClientAuthInfo mInfo;
 111   mozilla::UniqueCERTCertificate mServerCert;
 112   mozilla::UniqueCERTCertList mPotentialClientCertificates;
 113   nsTArray<nsTArray<nsTArray<uint8_t>>> mPotentialClientCertificateChains;
 114   RefPtr<ClientAuthCertificateSelectedBase> mContinuation;
 115
 116   uint64_t mBrowserId;
 117   nsCOMPtr<nsIInterfaceRequestor> mSecurityCallbacks;
 118 };
 119
 120 #endif  // SECURITY_MANAGER_SSL_TLSCLIENTAUTHCERTSELECTION_H_