security/manager/ssl/nsNSSComponent.h

   1 /* -*- Mode: C++; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*-
   2  *
   3  * This Source Code Form is subject to the terms of the Mozilla Public
   4  * License, v. 2.0. If a copy of the MPL was not distributed with this
   5  * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
   6
   7 #ifndef _nsNSSComponent_h_
   8 #define _nsNSSComponent_h_
   9
  10 #include "nsINSSComponent.h"
  11
  12 #include "EnterpriseRoots.h"
  13 #include "ScopedNSSTypes.h"
  14 #include "SharedCertVerifier.h"
  15 #include "mozilla/Monitor.h"
  16 #include "mozilla/Mutex.h"
  17 #include "mozilla/RefPtr.h"
  18 #include "nsCOMPtr.h"
  19 #include "nsIObserver.h"
  20 #include "nsNSSCallbacks.h"
  21 #include "nsServiceManagerUtils.h"
  22 #include "prerror.h"
  23 #include "sslt.h"
  24
  25 #ifdef XP_WIN
  26 #  include <windows.h>  // this needs to be before the following includes
  27 #  include <wincrypt.h>
  28 #endif  // XP_WIN
  29
  30 class nsIDOMWindow;
  31 class nsIPrompt;
  32 class nsISerialEventTarget;
  33 class nsITimer;
  34
  35 namespace mozilla {
  36 namespace psm {
  37
  38 [[nodiscard]] ::already_AddRefed<mozilla::psm::SharedCertVerifier>
  39 GetDefaultCertVerifier();
  40 UniqueCERTCertList FindClientCertificatesWithPrivateKeys();
  41 CertVerifier::CertificateTransparencyMode GetCertificateTransparencyMode();
  42
  43 }  // namespace psm
  44 }  // namespace mozilla
  45
  46 #define NS_NSSCOMPONENT_CID                          \
  47   {                                                  \
  48     0x4cb64dfd, 0xca98, 0x4e24, {                    \
  49       0xbe, 0xfd, 0x0d, 0x92, 0x85, 0xa3, 0x3b, 0xcb \
  50     }                                                \
  51   }
  52
  53 bool EnsureNSSInitializedChromeOrContent();
  54 bool HandleTLSPrefChange(const nsCString& aPref);
  55 void SetValidationOptionsCommon();
  56 void PrepareForShutdownInSocketProcess();
  57
  58 // Implementation of the PSM component interface.
  59 class nsNSSComponent final : public nsINSSComponent, public nsIObserver {
  60  public:
  61   // LoadLoadableCertsTask updates mLoadableCertsLoaded and
  62   // mLoadableCertsLoadedResult and then signals mLoadableCertsLoadedMonitor.
  63   friend class LoadLoadableCertsTask;
  64   // BackgroundImportEnterpriseCertsTask calls ImportEnterpriseRoots and
  65   // UpdateCertVerifierWithEnterpriseRoots.
  66   friend class BackgroundImportEnterpriseCertsTask;
  67
  68   nsNSSComponent();
  69
  70   NS_DECL_THREADSAFE_ISUPPORTS
  71   NS_DECL_NSINSSCOMPONENT
  72   NS_DECL_NSIOBSERVER
  73
  74   nsresult Init();
  75
  76   static nsresult GetNewPrompter(nsIPrompt** result);
  77
  78   static void FillTLSVersionRange(SSLVersionRange& rangeOut,
  79                                   uint32_t minFromPrefs, uint32_t maxFromPrefs,
  80                                   SSLVersionRange defaults);
  81
  82   static nsresult SetEnabledTLSVersions();
  83
  84   // This function does the actual work of clearing the session cache. It is to
  85   // be used by the socket process (where there is no nsINSSComponent) and
  86   // internally by nsNSSComponent.
  87   // NB: NSS must have already been initialized before this is called.
  88   static void DoClearSSLExternalAndInternalSessionCache();
  89
  90  protected:
  91   virtual ~nsNSSComponent();
  92
  93  private:
  94   nsresult InitializeNSS();
  95   void PrepareForShutdown();
  96
  97   void setValidationOptions(bool isInitialSetting,
  98                             const mozilla::MutexAutoLock& proofOfLock);
  99   void GetRevocationBehaviorFromPrefs(
 100       /*out*/ mozilla::psm::CertVerifier::OcspDownloadConfig* odc,
 101       /*out*/ mozilla::psm::CertVerifier::OcspStrictConfig* osc,
 102       /*out*/ uint32_t* certShortLifetimeInDays,
 103       /*out*/ TimeDuration& softTimeout,
 104       /*out*/ TimeDuration& hardTimeout);
 105   void UpdateCertVerifierWithEnterpriseRoots();
 106   nsresult RegisterObservers();
 107
 108   void MaybeImportEnterpriseRoots();
 109   void ImportEnterpriseRoots();
 110   void UnloadEnterpriseRoots();
 111   nsresult CommonGetEnterpriseCerts(
 112       nsTArray<nsTArray<uint8_t>>& enterpriseCerts, bool getRoots);
 113
 114   // mLoadableCertsLoadedMonitor protects mLoadableCertsLoaded.
 115   mozilla::Monitor mLoadableCertsLoadedMonitor;
 116   bool mLoadableCertsLoaded MOZ_GUARDED_BY(mLoadableCertsLoadedMonitor);
 117   nsresult mLoadableCertsLoadedResult
 118       MOZ_GUARDED_BY(mLoadableCertsLoadedMonitor);
 119
 120   // mMutex protects all members that are accessed from more than one thread.
 121   mozilla::Mutex mMutex;
 122
 123   // The following members are accessed from more than one thread:
 124
 125 #ifdef DEBUG
 126   nsCString mTestBuiltInRootHash MOZ_GUARDED_BY(mMutex);
 127 #endif
 128   RefPtr<mozilla::psm::SharedCertVerifier> mDefaultCertVerifier
 129       MOZ_GUARDED_BY(mMutex);
 130   nsString mMitmCanaryIssuer MOZ_GUARDED_BY(mMutex);
 131   bool mMitmDetecionEnabled MOZ_GUARDED_BY(mMutex);
 132   nsTArray<EnterpriseCert> mEnterpriseCerts MOZ_GUARDED_BY(mMutex);
 133
 134   // The following members are accessed only on the main thread:
 135   static int mInstanceCount;
 136 };
 137
 138 inline nsresult BlockUntilLoadableCertsLoaded() {
 139   nsCOMPtr<nsINSSComponent> component(do_GetService(PSM_COMPONENT_CONTRACTID));
 140   if (!component) {
 141     return NS_ERROR_FAILURE;
 142   }
 143   return component->BlockUntilLoadableCertsLoaded();
 144 }
 145
 146 inline nsresult CheckForSmartCardChanges() {
 147 #ifndef MOZ_NO_SMART_CARDS
 148   nsCOMPtr<nsINSSComponent> component(do_GetService(PSM_COMPONENT_CONTRACTID));
 149   if (!component) {
 150     return NS_ERROR_FAILURE;
 151   }
 152   return component->CheckForSmartCardChanges();
 153 #else
 154   return NS_OK;
 155 #endif
 156 }
 157
 158 #endif  // _nsNSSComponent_h_