2007-10-03 11:43:54 +00:00
|
|
|
/* -*- Mode: C++; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*-
|
|
|
|
|
*
|
2012-05-31 09:33:35 +00:00
|
|
|
* This Source Code Form is subject to the terms of the Mozilla Public
|
|
|
|
|
* License, v. 2.0. If a copy of the MPL was not distributed with this
|
|
|
|
|
* file, You can obtain one at http://mozilla.org/MPL/2.0/. */
|
2007-10-03 11:43:54 +00:00
|
|
|
|
|
|
|
|
#include "nsCertOverrideService.h"
|
2014-01-23 01:13:19 +00:00
|
|
|
|
2013-07-08 23:30:59 +00:00
|
|
|
#include "NSSCertDBTrustDomain.h"
|
2014-10-24 17:46:30 +00:00
|
|
|
#include "ScopedNSSTypes.h"
|
|
|
|
|
#include "SharedSSLState.h"
|
2014-10-30 20:12:01 +00:00
|
|
|
#include "mozilla/Telemetry.h"
|
2014-10-28 13:10:38 +00:00
|
|
|
#include "nsAppDirectoryServiceDefs.h"
|
2014-10-24 17:46:30 +00:00
|
|
|
#include "nsCRT.h"
|
2007-10-03 11:43:54 +00:00
|
|
|
#include "nsILineInputStream.h"
|
|
|
|
|
#include "nsIObserver.h"
|
|
|
|
|
#include "nsIObserverService.h"
|
2014-10-24 17:46:30 +00:00
|
|
|
#include "nsIX509Cert.h"
|
|
|
|
|
#include "nsNSSCertHelper.h"
|
|
|
|
|
#include "nsNSSCertificate.h"
|
|
|
|
|
#include "nsNSSComponent.h"
|
|
|
|
|
#include "nsNetUtil.h"
|
2007-10-03 11:43:54 +00:00
|
|
|
#include "nsPromiseFlatString.h"
|
2014-10-24 17:46:30 +00:00
|
|
|
#include "nsStreamUtils.h"
|
2014-10-28 13:10:38 +00:00
|
|
|
#include "nsStringBuffer.h"
|
2014-10-24 17:46:30 +00:00
|
|
|
#include "nsThreadUtils.h"
|
2008-02-22 08:50:11 +00:00
|
|
|
#include "ssl.h" // For SSL_ClearSessionCache
|
2007-10-03 11:43:54 +00:00
|
|
|
|
Rollup of bug 645263 and bug 646259: Switch to mozilla:: sync primitives. r=cjones,dbaron,doublec,ehsan src=bsmedberg
Bug 645263, part 0: Count sync primitive ctor/dtors. r=dbaron
Bug 645263, part 1: Migrate content/media to mozilla:: sync primitives. r=doublec
Bug 645263, part 2: Migrate modules/plugin to mozilla:: sync primitives. sr=bsmedberg
Bug 645263, part 3: Migrate nsComponentManagerImpl to mozilla:: sync primitives. sr=bsmedberg
Bug 645263, part 4: Migrate everything else to mozilla:: sync primitives. r=dbaron
Bug 645263, part 5: Remove nsAutoLock.*. sr=bsmedberg
Bug 645263, part 6: Make editor test be nicer to deadlock detector. r=ehsan
Bug 645263, part 7: Disable tracemalloc backtraces for xpcshell tests. r=dbaron
Bug 646259: Fix nsCacheService to use a CondVar for notifying. r=cjones
2011-04-01 04:29:02 +00:00
|
|
|
using namespace mozilla;
|
2014-01-23 01:13:19 +00:00
|
|
|
using namespace mozilla::psm;
|
Rollup of bug 645263 and bug 646259: Switch to mozilla:: sync primitives. r=cjones,dbaron,doublec,ehsan src=bsmedberg
Bug 645263, part 0: Count sync primitive ctor/dtors. r=dbaron
Bug 645263, part 1: Migrate content/media to mozilla:: sync primitives. r=doublec
Bug 645263, part 2: Migrate modules/plugin to mozilla:: sync primitives. sr=bsmedberg
Bug 645263, part 3: Migrate nsComponentManagerImpl to mozilla:: sync primitives. sr=bsmedberg
Bug 645263, part 4: Migrate everything else to mozilla:: sync primitives. r=dbaron
Bug 645263, part 5: Remove nsAutoLock.*. sr=bsmedberg
Bug 645263, part 6: Make editor test be nicer to deadlock detector. r=ehsan
Bug 645263, part 7: Disable tracemalloc backtraces for xpcshell tests. r=dbaron
Bug 646259: Fix nsCacheService to use a CondVar for notifying. r=cjones
2011-04-01 04:29:02 +00:00
|
|
|
|
2015-05-14 23:35:18 +00:00
|
|
|
static const char kCertOverrideFileName[] = "cert_override.txt";
|
2007-10-03 11:43:54 +00:00
|
|
|
|
|
|
|
|
void
|
|
|
|
|
nsCertOverride::convertBitsToString(OverrideBits ob, nsACString &str)
|
|
|
|
|
{
|
|
|
|
|
str.Truncate();
|
|
|
|
|
|
|
|
|
|
if (ob & ob_Mismatch)
|
|
|
|
|
str.Append('M');
|
|
|
|
|
|
|
|
|
|
if (ob & ob_Untrusted)
|
|
|
|
|
str.Append('U');
|
|
|
|
|
|
|
|
|
|
if (ob & ob_Time_error)
|
|
|
|
|
str.Append('T');
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
void
|
|
|
|
|
nsCertOverride::convertStringToBits(const nsACString &str, OverrideBits &ob)
|
|
|
|
|
{
|
|
|
|
|
const nsPromiseFlatCString &flat = PromiseFlatCString(str);
|
|
|
|
|
const char *walk = flat.get();
|
|
|
|
|
|
|
|
|
|
ob = ob_None;
|
|
|
|
|
|
|
|
|
|
for ( ; *walk; ++walk)
|
|
|
|
|
{
|
|
|
|
|
switch (*walk)
|
|
|
|
|
{
|
|
|
|
|
case 'm':
|
|
|
|
|
case 'M':
|
|
|
|
|
ob = (OverrideBits)(ob | ob_Mismatch);
|
|
|
|
|
break;
|
|
|
|
|
|
|
|
|
|
case 'u':
|
|
|
|
|
case 'U':
|
|
|
|
|
ob = (OverrideBits)(ob | ob_Untrusted);
|
|
|
|
|
break;
|
|
|
|
|
|
|
|
|
|
case 't':
|
|
|
|
|
case 'T':
|
|
|
|
|
ob = (OverrideBits)(ob | ob_Time_error);
|
|
|
|
|
break;
|
|
|
|
|
|
|
|
|
|
default:
|
|
|
|
|
break;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
2014-04-27 07:06:00 +00:00
|
|
|
NS_IMPL_ISUPPORTS(nsCertOverrideService,
|
|
|
|
|
nsICertOverrideService,
|
|
|
|
|
nsIObserver,
|
|
|
|
|
nsISupportsWeakReference)
|
2007-10-03 11:43:54 +00:00
|
|
|
|
|
|
|
|
nsCertOverrideService::nsCertOverrideService()
|
Rollup of bug 645263 and bug 646259: Switch to mozilla:: sync primitives. r=cjones,dbaron,doublec,ehsan src=bsmedberg
Bug 645263, part 0: Count sync primitive ctor/dtors. r=dbaron
Bug 645263, part 1: Migrate content/media to mozilla:: sync primitives. r=doublec
Bug 645263, part 2: Migrate modules/plugin to mozilla:: sync primitives. sr=bsmedberg
Bug 645263, part 3: Migrate nsComponentManagerImpl to mozilla:: sync primitives. sr=bsmedberg
Bug 645263, part 4: Migrate everything else to mozilla:: sync primitives. r=dbaron
Bug 645263, part 5: Remove nsAutoLock.*. sr=bsmedberg
Bug 645263, part 6: Make editor test be nicer to deadlock detector. r=ehsan
Bug 645263, part 7: Disable tracemalloc backtraces for xpcshell tests. r=dbaron
Bug 646259: Fix nsCacheService to use a CondVar for notifying. r=cjones
2011-04-01 04:29:02 +00:00
|
|
|
: monitor("nsCertOverrideService.monitor")
|
2007-10-03 11:43:54 +00:00
|
|
|
{
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
nsCertOverrideService::~nsCertOverrideService()
|
|
|
|
|
{
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
nsresult
|
|
|
|
|
nsCertOverrideService::Init()
|
|
|
|
|
{
|
2011-10-07 00:46:52 +00:00
|
|
|
if (!NS_IsMainThread()) {
|
|
|
|
|
NS_NOTREACHED("nsCertOverrideService initialized off main thread");
|
|
|
|
|
return NS_ERROR_NOT_SAME_THREAD;
|
|
|
|
|
}
|
|
|
|
|
|
2014-10-24 17:46:30 +00:00
|
|
|
// Note that the names of these variables would seem to indicate that at one
|
|
|
|
|
// point another hash algorithm was used and is still supported for backwards
|
|
|
|
|
// compatibility. This is not the case. It has always been SHA256.
|
2007-10-03 11:43:54 +00:00
|
|
|
mOidTagForStoringNewHashes = SEC_OID_SHA256;
|
2014-10-24 17:46:30 +00:00
|
|
|
mDottedOidForStoringNewHashes.Assign("OID.2.16.840.1.101.3.4.2.1");
|
2007-10-03 11:43:54 +00:00
|
|
|
|
2011-10-07 00:46:52 +00:00
|
|
|
nsCOMPtr<nsIObserverService> observerService =
|
|
|
|
|
mozilla::services::GetObserverService();
|
|
|
|
|
|
|
|
|
|
// If we cannot add ourselves as a profile change observer, then we will not
|
|
|
|
|
// attempt to read/write any settings file. Otherwise, we would end up
|
|
|
|
|
// reading/writing the wrong settings file after a profile change.
|
|
|
|
|
if (observerService) {
|
|
|
|
|
observerService->AddObserver(this, "profile-before-change", true);
|
|
|
|
|
observerService->AddObserver(this, "profile-do-change", true);
|
|
|
|
|
// simulate a profile change so we read the current profile's settings file
|
2012-07-30 14:20:58 +00:00
|
|
|
Observe(nullptr, "profile-do-change", nullptr);
|
2007-10-03 11:43:54 +00:00
|
|
|
}
|
|
|
|
|
|
2012-12-07 22:50:43 +00:00
|
|
|
SharedSSLState::NoteCertOverrideServiceInstantiated();
|
2007-10-03 11:43:54 +00:00
|
|
|
return NS_OK;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
NS_IMETHODIMP
|
2011-10-07 00:46:52 +00:00
|
|
|
nsCertOverrideService::Observe(nsISupports *,
|
2007-10-03 11:43:54 +00:00
|
|
|
const char *aTopic,
|
2014-01-04 15:02:17 +00:00
|
|
|
const char16_t *aData)
|
2007-10-03 11:43:54 +00:00
|
|
|
{
|
|
|
|
|
// check the topic
|
|
|
|
|
if (!nsCRT::strcmp(aTopic, "profile-before-change")) {
|
|
|
|
|
// The profile is about to change,
|
|
|
|
|
// or is going away because the application is shutting down.
|
|
|
|
|
|
2014-12-30 19:47:15 +00:00
|
|
|
RemoveAllFromMemory();
|
2007-10-03 11:43:54 +00:00
|
|
|
} else if (!nsCRT::strcmp(aTopic, "profile-do-change")) {
|
|
|
|
|
// The profile has already changed.
|
|
|
|
|
// Now read from the new profile location.
|
|
|
|
|
// we also need to update the cached file location
|
|
|
|
|
|
2011-04-29 19:21:57 +00:00
|
|
|
ReentrantMonitorAutoEnter lock(monitor);
|
2007-10-03 11:43:54 +00:00
|
|
|
|
|
|
|
|
nsresult rv = NS_GetSpecialDirectory(NS_APP_USER_PROFILE_50_DIR, getter_AddRefs(mSettingsFile));
|
|
|
|
|
if (NS_SUCCEEDED(rv)) {
|
2015-05-14 23:35:18 +00:00
|
|
|
mSettingsFile->AppendNative(NS_LITERAL_CSTRING(kCertOverrideFileName));
|
2011-10-07 00:46:52 +00:00
|
|
|
} else {
|
2012-07-30 14:20:58 +00:00
|
|
|
mSettingsFile = nullptr;
|
2007-10-03 11:43:54 +00:00
|
|
|
}
|
|
|
|
|
Read();
|
2014-10-29 23:25:16 +00:00
|
|
|
CountPermanentOverrideTelemetry();
|
2007-10-03 11:43:54 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return NS_OK;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
void
|
|
|
|
|
nsCertOverrideService::RemoveAllFromMemory()
|
|
|
|
|
{
|
2011-04-29 19:21:57 +00:00
|
|
|
ReentrantMonitorAutoEnter lock(monitor);
|
2007-10-03 11:43:54 +00:00
|
|
|
mSettingsTable.Clear();
|
|
|
|
|
}
|
|
|
|
|
|
2012-10-08 16:15:12 +00:00
|
|
|
static PLDHashOperator
|
2008-10-23 02:16:06 +00:00
|
|
|
RemoveTemporariesCallback(nsCertOverrideEntry *aEntry,
|
|
|
|
|
void *aArg)
|
|
|
|
|
{
|
|
|
|
|
if (aEntry && aEntry->mSettings.mIsTemporary) {
|
2012-07-30 14:20:58 +00:00
|
|
|
aEntry->mSettings.mCert = nullptr;
|
2008-10-23 02:16:06 +00:00
|
|
|
return PL_DHASH_REMOVE;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return PL_DHASH_NEXT;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
void
|
|
|
|
|
nsCertOverrideService::RemoveAllTemporaryOverrides()
|
|
|
|
|
{
|
|
|
|
|
{
|
2011-04-29 19:21:57 +00:00
|
|
|
ReentrantMonitorAutoEnter lock(monitor);
|
2012-07-30 14:20:58 +00:00
|
|
|
mSettingsTable.EnumerateEntries(RemoveTemporariesCallback, nullptr);
|
2008-10-23 02:16:06 +00:00
|
|
|
// no need to write, as temporaries are never written to disk
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
2007-10-03 11:43:54 +00:00
|
|
|
nsresult
|
|
|
|
|
nsCertOverrideService::Read()
|
|
|
|
|
{
|
2011-04-29 19:21:57 +00:00
|
|
|
ReentrantMonitorAutoEnter lock(monitor);
|
2007-10-03 11:43:54 +00:00
|
|
|
|
2011-10-07 00:46:52 +00:00
|
|
|
// If we don't have a profile, then we won't try to read any settings file.
|
|
|
|
|
if (!mSettingsFile)
|
|
|
|
|
return NS_OK;
|
|
|
|
|
|
2007-10-03 11:43:54 +00:00
|
|
|
nsresult rv;
|
|
|
|
|
nsCOMPtr<nsIInputStream> fileInputStream;
|
|
|
|
|
rv = NS_NewLocalFileInputStream(getter_AddRefs(fileInputStream), mSettingsFile);
|
|
|
|
|
if (NS_FAILED(rv)) {
|
|
|
|
|
return rv;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
nsCOMPtr<nsILineInputStream> lineInputStream = do_QueryInterface(fileInputStream, &rv);
|
|
|
|
|
if (NS_FAILED(rv)) {
|
|
|
|
|
return rv;
|
|
|
|
|
}
|
|
|
|
|
|
2012-09-02 02:35:17 +00:00
|
|
|
nsAutoCString buffer;
|
2011-09-29 06:19:26 +00:00
|
|
|
bool isMore = true;
|
2012-08-22 15:56:38 +00:00
|
|
|
int32_t hostIndex = 0, algoIndex, fingerprintIndex, overrideBitsIndex, dbKeyIndex;
|
2007-10-03 11:43:54 +00:00
|
|
|
|
|
|
|
|
/* file format is:
|
|
|
|
|
*
|
|
|
|
|
* host:port \t fingerprint-algorithm \t fingerprint \t override-mask \t dbKey
|
|
|
|
|
*
|
|
|
|
|
* where override-mask is a sequence of characters,
|
|
|
|
|
* M meaning hostname-Mismatch-override
|
|
|
|
|
* U meaning Untrusted-override
|
|
|
|
|
* T meaning Time-error-override (expired/not yet valid)
|
|
|
|
|
*
|
|
|
|
|
* if this format isn't respected we move onto the next line in the file.
|
|
|
|
|
*/
|
|
|
|
|
|
|
|
|
|
while (isMore && NS_SUCCEEDED(lineInputStream->ReadLine(buffer, &isMore))) {
|
|
|
|
|
if (buffer.IsEmpty() || buffer.First() == '#') {
|
|
|
|
|
continue;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// this is a cheap, cheesy way of parsing a tab-delimited line into
|
|
|
|
|
// string indexes, which can be lopped off into substrings. just for
|
|
|
|
|
// purposes of obfuscation, it also checks that each token was found.
|
|
|
|
|
// todo: use iterators?
|
|
|
|
|
if ((algoIndex = buffer.FindChar('\t', hostIndex) + 1) == 0 ||
|
|
|
|
|
(fingerprintIndex = buffer.FindChar('\t', algoIndex) + 1) == 0 ||
|
|
|
|
|
(overrideBitsIndex = buffer.FindChar('\t', fingerprintIndex) + 1) == 0 ||
|
|
|
|
|
(dbKeyIndex = buffer.FindChar('\t', overrideBitsIndex) + 1) == 0) {
|
|
|
|
|
continue;
|
|
|
|
|
}
|
|
|
|
|
|
2008-04-22 20:03:20 +00:00
|
|
|
const nsASingleFragmentCString &tmp = Substring(buffer, hostIndex, algoIndex - hostIndex - 1);
|
2007-10-03 11:43:54 +00:00
|
|
|
const nsASingleFragmentCString &algo_string = Substring(buffer, algoIndex, fingerprintIndex - algoIndex - 1);
|
|
|
|
|
const nsASingleFragmentCString &fingerprint = Substring(buffer, fingerprintIndex, overrideBitsIndex - fingerprintIndex - 1);
|
|
|
|
|
const nsASingleFragmentCString &bits_string = Substring(buffer, overrideBitsIndex, dbKeyIndex - overrideBitsIndex - 1);
|
|
|
|
|
const nsASingleFragmentCString &db_key = Substring(buffer, dbKeyIndex, buffer.Length() - dbKeyIndex);
|
|
|
|
|
|
2012-09-02 02:35:17 +00:00
|
|
|
nsAutoCString host(tmp);
|
2007-10-03 11:43:54 +00:00
|
|
|
nsCertOverride::OverrideBits bits;
|
|
|
|
|
nsCertOverride::convertStringToBits(bits_string, bits);
|
|
|
|
|
|
2012-08-22 15:56:38 +00:00
|
|
|
int32_t port;
|
|
|
|
|
int32_t portIndex = host.RFindChar(':');
|
2008-04-22 20:03:20 +00:00
|
|
|
if (portIndex == kNotFound)
|
|
|
|
|
continue; // Ignore broken entries
|
|
|
|
|
|
2012-07-27 13:59:29 +00:00
|
|
|
nsresult portParseError;
|
2012-09-02 02:35:17 +00:00
|
|
|
nsAutoCString portString(Substring(host, portIndex+1));
|
2008-04-22 20:03:20 +00:00
|
|
|
port = portString.ToInteger(&portParseError);
|
2012-08-13 13:49:48 +00:00
|
|
|
if (NS_FAILED(portParseError))
|
2008-04-22 20:03:20 +00:00
|
|
|
continue; // Ignore broken entries
|
|
|
|
|
|
|
|
|
|
host.Truncate(portIndex);
|
|
|
|
|
|
|
|
|
|
AddEntryToList(host, port,
|
2012-07-30 14:20:58 +00:00
|
|
|
nullptr, // don't have the cert
|
2011-10-17 14:59:28 +00:00
|
|
|
false, // not temporary
|
2007-11-19 15:32:43 +00:00
|
|
|
algo_string, fingerprint, bits, db_key);
|
2007-10-03 11:43:54 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return NS_OK;
|
|
|
|
|
}
|
|
|
|
|
|
2012-10-08 16:15:12 +00:00
|
|
|
static PLDHashOperator
|
2007-10-03 11:43:54 +00:00
|
|
|
WriteEntryCallback(nsCertOverrideEntry *aEntry,
|
|
|
|
|
void *aArg)
|
|
|
|
|
{
|
|
|
|
|
static const char kTab[] = "\t";
|
|
|
|
|
|
|
|
|
|
nsIOutputStream *rawStreamPtr = (nsIOutputStream *)aArg;
|
|
|
|
|
|
2012-08-22 15:56:38 +00:00
|
|
|
uint32_t unused;
|
2007-10-03 11:43:54 +00:00
|
|
|
|
|
|
|
|
if (rawStreamPtr && aEntry)
|
|
|
|
|
{
|
|
|
|
|
const nsCertOverride &settings = aEntry->mSettings;
|
2007-11-19 15:32:43 +00:00
|
|
|
if (settings.mIsTemporary)
|
|
|
|
|
return PL_DHASH_NEXT;
|
2007-10-03 11:43:54 +00:00
|
|
|
|
2012-09-02 02:35:17 +00:00
|
|
|
nsAutoCString bits_string;
|
2007-10-03 11:43:54 +00:00
|
|
|
nsCertOverride::convertBitsToString(settings.mOverrideBits,
|
|
|
|
|
bits_string);
|
|
|
|
|
|
2012-07-30 09:24:36 +00:00
|
|
|
rawStreamPtr->Write(aEntry->mHostWithPort.get(), aEntry->mHostWithPort.Length(), &unused);
|
|
|
|
|
rawStreamPtr->Write(kTab, sizeof(kTab) - 1, &unused);
|
2007-10-03 11:43:54 +00:00
|
|
|
rawStreamPtr->Write(settings.mFingerprintAlgOID.get(),
|
2012-07-30 09:24:36 +00:00
|
|
|
settings.mFingerprintAlgOID.Length(), &unused);
|
|
|
|
|
rawStreamPtr->Write(kTab, sizeof(kTab) - 1, &unused);
|
2007-10-03 11:43:54 +00:00
|
|
|
rawStreamPtr->Write(settings.mFingerprint.get(),
|
2012-07-30 09:24:36 +00:00
|
|
|
settings.mFingerprint.Length(), &unused);
|
|
|
|
|
rawStreamPtr->Write(kTab, sizeof(kTab) - 1, &unused);
|
2007-10-03 11:43:54 +00:00
|
|
|
rawStreamPtr->Write(bits_string.get(),
|
2012-07-30 09:24:36 +00:00
|
|
|
bits_string.Length(), &unused);
|
|
|
|
|
rawStreamPtr->Write(kTab, sizeof(kTab) - 1, &unused);
|
|
|
|
|
rawStreamPtr->Write(settings.mDBKey.get(), settings.mDBKey.Length(), &unused);
|
|
|
|
|
rawStreamPtr->Write(NS_LINEBREAK, NS_LINEBREAK_LEN, &unused);
|
2007-10-03 11:43:54 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return PL_DHASH_NEXT;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
nsresult
|
|
|
|
|
nsCertOverrideService::Write()
|
|
|
|
|
{
|
2011-04-29 19:21:57 +00:00
|
|
|
ReentrantMonitorAutoEnter lock(monitor);
|
2007-10-03 11:43:54 +00:00
|
|
|
|
2011-10-07 00:46:52 +00:00
|
|
|
// If we don't have any profile, then we won't try to write any file
|
2007-10-03 11:43:54 +00:00
|
|
|
if (!mSettingsFile) {
|
2011-10-07 00:46:52 +00:00
|
|
|
return NS_OK;
|
2007-10-03 11:43:54 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
nsresult rv;
|
|
|
|
|
nsCOMPtr<nsIOutputStream> fileOutputStream;
|
|
|
|
|
rv = NS_NewSafeLocalFileOutputStream(getter_AddRefs(fileOutputStream),
|
|
|
|
|
mSettingsFile,
|
|
|
|
|
-1,
|
|
|
|
|
0600);
|
|
|
|
|
if (NS_FAILED(rv)) {
|
|
|
|
|
NS_ERROR("failed to open cert_warn_settings.txt for writing");
|
|
|
|
|
return rv;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// get a buffered output stream 4096 bytes big, to optimize writes
|
|
|
|
|
nsCOMPtr<nsIOutputStream> bufferedOutputStream;
|
|
|
|
|
rv = NS_NewBufferedOutputStream(getter_AddRefs(bufferedOutputStream), fileOutputStream, 4096);
|
|
|
|
|
if (NS_FAILED(rv)) {
|
|
|
|
|
return rv;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
static const char kHeader[] =
|
2007-11-09 15:12:34 +00:00
|
|
|
"# PSM Certificate Override Settings file" NS_LINEBREAK
|
|
|
|
|
"# This is a generated file! Do not edit." NS_LINEBREAK;
|
2007-10-03 11:43:54 +00:00
|
|
|
|
|
|
|
|
/* see ::Read for file format */
|
|
|
|
|
|
2012-08-22 15:56:38 +00:00
|
|
|
uint32_t unused;
|
2012-07-30 09:24:36 +00:00
|
|
|
bufferedOutputStream->Write(kHeader, sizeof(kHeader) - 1, &unused);
|
2007-10-03 11:43:54 +00:00
|
|
|
|
|
|
|
|
nsIOutputStream *rawStreamPtr = bufferedOutputStream;
|
|
|
|
|
mSettingsTable.EnumerateEntries(WriteEntryCallback, rawStreamPtr);
|
|
|
|
|
|
|
|
|
|
// All went ok. Maybe except for problems in Write(), but the stream detects
|
|
|
|
|
// that for us
|
|
|
|
|
nsCOMPtr<nsISafeOutputStream> safeStream = do_QueryInterface(bufferedOutputStream);
|
|
|
|
|
NS_ASSERTION(safeStream, "expected a safe output stream!");
|
|
|
|
|
if (safeStream) {
|
|
|
|
|
rv = safeStream->Finish();
|
|
|
|
|
if (NS_FAILED(rv)) {
|
|
|
|
|
NS_WARNING("failed to save cert warn settings file! possible dataloss");
|
|
|
|
|
return rv;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return NS_OK;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
static nsresult
|
|
|
|
|
GetCertFingerprintByOidTag(nsIX509Cert *aCert,
|
|
|
|
|
SECOidTag aOidTag,
|
|
|
|
|
nsCString &fp)
|
|
|
|
|
{
|
|
|
|
|
|
2014-07-04 04:49:56 +00:00
|
|
|
ScopedCERTCertificate nsscert(aCert->GetCert());
|
2014-07-04 05:09:24 +00:00
|
|
|
if (!nsscert) {
|
2007-10-03 11:43:54 +00:00
|
|
|
return NS_ERROR_FAILURE;
|
2014-07-04 05:09:24 +00:00
|
|
|
}
|
2014-01-23 01:13:19 +00:00
|
|
|
return GetCertFingerprintByOidTag(nsscert.get(), aOidTag, fp);
|
2007-10-03 11:43:54 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
NS_IMETHODIMP
|
2014-07-04 05:09:24 +00:00
|
|
|
nsCertOverrideService::RememberValidityOverride(const nsACString& aHostName,
|
|
|
|
|
int32_t aPort,
|
|
|
|
|
nsIX509Cert* aCert,
|
|
|
|
|
uint32_t aOverrideBits,
|
2011-09-29 06:19:26 +00:00
|
|
|
bool aTemporary)
|
2007-10-03 11:43:54 +00:00
|
|
|
{
|
|
|
|
|
NS_ENSURE_ARG_POINTER(aCert);
|
2008-04-22 20:03:20 +00:00
|
|
|
if (aHostName.IsEmpty())
|
|
|
|
|
return NS_ERROR_INVALID_ARG;
|
|
|
|
|
if (aPort < -1)
|
2007-10-03 11:43:54 +00:00
|
|
|
return NS_ERROR_INVALID_ARG;
|
|
|
|
|
|
2014-07-04 04:49:56 +00:00
|
|
|
ScopedCERTCertificate nsscert(aCert->GetCert());
|
2014-07-04 05:09:24 +00:00
|
|
|
if (!nsscert) {
|
2007-10-03 11:43:54 +00:00
|
|
|
return NS_ERROR_FAILURE;
|
2014-07-04 05:09:24 +00:00
|
|
|
}
|
2007-10-03 11:43:54 +00:00
|
|
|
|
2013-07-08 23:30:59 +00:00
|
|
|
char* nickname = DefaultServerNicknameForCert(nsscert.get());
|
2011-03-27 19:09:32 +00:00
|
|
|
if (!aTemporary && nickname && *nickname)
|
2008-04-24 02:05:37 +00:00
|
|
|
{
|
2012-11-12 17:42:28 +00:00
|
|
|
ScopedPK11SlotInfo slot(PK11_GetInternalKeySlot());
|
2011-03-27 19:09:32 +00:00
|
|
|
if (!slot) {
|
|
|
|
|
PR_Free(nickname);
|
2008-04-24 02:05:37 +00:00
|
|
|
return NS_ERROR_FAILURE;
|
2011-03-27 19:09:32 +00:00
|
|
|
}
|
2008-04-24 02:05:37 +00:00
|
|
|
|
2014-01-23 01:13:19 +00:00
|
|
|
SECStatus srv = PK11_ImportCert(slot, nsscert.get(), CK_INVALID_HANDLE,
|
2011-10-17 14:59:28 +00:00
|
|
|
nickname, false);
|
2011-03-27 19:09:32 +00:00
|
|
|
if (srv != SECSuccess) {
|
|
|
|
|
PR_Free(nickname);
|
2008-04-24 02:05:37 +00:00
|
|
|
return NS_ERROR_FAILURE;
|
2011-03-27 19:09:32 +00:00
|
|
|
}
|
2008-04-24 02:05:37 +00:00
|
|
|
}
|
2011-03-27 19:09:32 +00:00
|
|
|
PR_FREEIF(nickname);
|
2007-10-03 11:43:54 +00:00
|
|
|
|
2012-09-02 02:35:17 +00:00
|
|
|
nsAutoCString fpStr;
|
2014-01-23 01:13:19 +00:00
|
|
|
nsresult rv = GetCertFingerprintByOidTag(nsscert.get(),
|
2007-10-03 11:43:54 +00:00
|
|
|
mOidTagForStoringNewHashes, fpStr);
|
|
|
|
|
if (NS_FAILED(rv))
|
|
|
|
|
return rv;
|
|
|
|
|
|
2012-10-17 20:48:36 +00:00
|
|
|
char *dbkey = nullptr;
|
2007-10-03 11:43:54 +00:00
|
|
|
rv = aCert->GetDbKey(&dbkey);
|
|
|
|
|
if (NS_FAILED(rv) || !dbkey)
|
|
|
|
|
return rv;
|
|
|
|
|
|
|
|
|
|
// change \n and \r to spaces in the possibly multi-line-base64-encoded key
|
|
|
|
|
for (char *dbkey_walk = dbkey;
|
|
|
|
|
*dbkey_walk;
|
|
|
|
|
++dbkey_walk) {
|
|
|
|
|
char c = *dbkey_walk;
|
|
|
|
|
if (c == '\r' || c == '\n') {
|
|
|
|
|
*dbkey_walk = ' ';
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
{
|
2011-04-29 19:21:57 +00:00
|
|
|
ReentrantMonitorAutoEnter lock(monitor);
|
2008-04-22 20:03:20 +00:00
|
|
|
AddEntryToList(aHostName, aPort,
|
2012-07-30 14:20:58 +00:00
|
|
|
aTemporary ? aCert : nullptr,
|
2008-10-23 02:16:06 +00:00
|
|
|
// keep a reference to the cert for temporary overrides
|
2007-11-19 15:32:43 +00:00
|
|
|
aTemporary,
|
|
|
|
|
mDottedOidForStoringNewHashes, fpStr,
|
2007-10-03 11:43:54 +00:00
|
|
|
(nsCertOverride::OverrideBits)aOverrideBits,
|
|
|
|
|
nsDependentCString(dbkey));
|
|
|
|
|
Write();
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
PR_Free(dbkey);
|
|
|
|
|
return NS_OK;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
NS_IMETHODIMP
|
2012-08-22 15:56:38 +00:00
|
|
|
nsCertOverrideService::HasMatchingOverride(const nsACString & aHostName, int32_t aPort,
|
2007-10-03 11:43:54 +00:00
|
|
|
nsIX509Cert *aCert,
|
2012-08-22 15:56:38 +00:00
|
|
|
uint32_t *aOverrideBits,
|
2011-09-29 06:19:26 +00:00
|
|
|
bool *aIsTemporary,
|
|
|
|
|
bool *_retval)
|
2007-10-03 11:43:54 +00:00
|
|
|
{
|
2008-04-22 20:03:20 +00:00
|
|
|
if (aHostName.IsEmpty())
|
|
|
|
|
return NS_ERROR_INVALID_ARG;
|
|
|
|
|
if (aPort < -1)
|
2007-10-03 11:43:54 +00:00
|
|
|
return NS_ERROR_INVALID_ARG;
|
|
|
|
|
|
|
|
|
|
NS_ENSURE_ARG_POINTER(aCert);
|
|
|
|
|
NS_ENSURE_ARG_POINTER(aOverrideBits);
|
2007-11-19 15:32:43 +00:00
|
|
|
NS_ENSURE_ARG_POINTER(aIsTemporary);
|
2007-10-03 11:43:54 +00:00
|
|
|
NS_ENSURE_ARG_POINTER(_retval);
|
2011-10-17 14:59:28 +00:00
|
|
|
*_retval = false;
|
2007-10-03 11:43:54 +00:00
|
|
|
*aOverrideBits = nsCertOverride::ob_None;
|
|
|
|
|
|
2012-09-02 02:35:17 +00:00
|
|
|
nsAutoCString hostPort;
|
2008-04-22 20:03:20 +00:00
|
|
|
GetHostWithPort(aHostName, aPort, hostPort);
|
2007-10-03 11:43:54 +00:00
|
|
|
nsCertOverride settings;
|
|
|
|
|
|
|
|
|
|
{
|
2011-04-29 19:21:57 +00:00
|
|
|
ReentrantMonitorAutoEnter lock(monitor);
|
2008-04-22 20:03:20 +00:00
|
|
|
nsCertOverrideEntry *entry = mSettingsTable.GetEntry(hostPort.get());
|
2007-10-03 11:43:54 +00:00
|
|
|
|
|
|
|
|
if (!entry)
|
|
|
|
|
return NS_OK;
|
|
|
|
|
|
|
|
|
|
settings = entry->mSettings; // copy
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
*aOverrideBits = settings.mOverrideBits;
|
2007-11-19 15:32:43 +00:00
|
|
|
*aIsTemporary = settings.mIsTemporary;
|
2007-10-03 11:43:54 +00:00
|
|
|
|
2012-09-02 02:35:17 +00:00
|
|
|
nsAutoCString fpStr;
|
2007-10-03 11:43:54 +00:00
|
|
|
nsresult rv;
|
|
|
|
|
|
2014-10-24 17:46:30 +00:00
|
|
|
// This code was originally written in a way that suggested that other hash
|
|
|
|
|
// algorithms are supported for backwards compatibility. However, this was
|
|
|
|
|
// always unnecessary, because only SHA256 has ever been used here.
|
2007-10-03 11:43:54 +00:00
|
|
|
if (settings.mFingerprintAlgOID.Equals(mDottedOidForStoringNewHashes)) {
|
|
|
|
|
rv = GetCertFingerprintByOidTag(aCert, mOidTagForStoringNewHashes, fpStr);
|
2014-10-24 17:46:30 +00:00
|
|
|
if (NS_FAILED(rv)) {
|
|
|
|
|
return rv;
|
|
|
|
|
}
|
|
|
|
|
} else {
|
|
|
|
|
return NS_ERROR_UNEXPECTED;
|
2007-10-03 11:43:54 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
*_retval = settings.mFingerprint.Equals(fpStr);
|
|
|
|
|
return NS_OK;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
NS_IMETHODIMP
|
2012-08-22 15:56:38 +00:00
|
|
|
nsCertOverrideService::GetValidityOverride(const nsACString & aHostName, int32_t aPort,
|
2007-10-03 11:43:54 +00:00
|
|
|
nsACString & aHashAlg,
|
|
|
|
|
nsACString & aFingerprint,
|
2012-08-22 15:56:38 +00:00
|
|
|
uint32_t *aOverrideBits,
|
2011-09-29 06:19:26 +00:00
|
|
|
bool *aIsTemporary,
|
|
|
|
|
bool *_found)
|
2007-10-03 11:43:54 +00:00
|
|
|
{
|
|
|
|
|
NS_ENSURE_ARG_POINTER(_found);
|
2007-11-19 15:32:43 +00:00
|
|
|
NS_ENSURE_ARG_POINTER(aIsTemporary);
|
2007-10-03 11:43:54 +00:00
|
|
|
NS_ENSURE_ARG_POINTER(aOverrideBits);
|
2011-10-17 14:59:28 +00:00
|
|
|
*_found = false;
|
2007-10-03 11:43:54 +00:00
|
|
|
*aOverrideBits = nsCertOverride::ob_None;
|
|
|
|
|
|
2012-09-02 02:35:17 +00:00
|
|
|
nsAutoCString hostPort;
|
2008-04-22 20:03:20 +00:00
|
|
|
GetHostWithPort(aHostName, aPort, hostPort);
|
2007-10-03 11:43:54 +00:00
|
|
|
nsCertOverride settings;
|
|
|
|
|
|
|
|
|
|
{
|
2011-04-29 19:21:57 +00:00
|
|
|
ReentrantMonitorAutoEnter lock(monitor);
|
2008-04-22 20:03:20 +00:00
|
|
|
nsCertOverrideEntry *entry = mSettingsTable.GetEntry(hostPort.get());
|
2007-10-03 11:43:54 +00:00
|
|
|
|
|
|
|
|
if (entry) {
|
2011-10-17 14:59:28 +00:00
|
|
|
*_found = true;
|
2007-10-03 11:43:54 +00:00
|
|
|
settings = entry->mSettings; // copy
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if (*_found) {
|
|
|
|
|
*aOverrideBits = settings.mOverrideBits;
|
2007-11-19 15:32:43 +00:00
|
|
|
*aIsTemporary = settings.mIsTemporary;
|
2007-10-03 11:43:54 +00:00
|
|
|
aFingerprint = settings.mFingerprint;
|
|
|
|
|
aHashAlg = settings.mFingerprintAlgOID;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return NS_OK;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
nsresult
|
2012-08-22 15:56:38 +00:00
|
|
|
nsCertOverrideService::AddEntryToList(const nsACString &aHostName, int32_t aPort,
|
2008-10-23 02:16:06 +00:00
|
|
|
nsIX509Cert *aCert,
|
2011-09-29 06:19:26 +00:00
|
|
|
const bool aIsTemporary,
|
2007-10-03 11:43:54 +00:00
|
|
|
const nsACString &fingerprintAlgOID,
|
|
|
|
|
const nsACString &fingerprint,
|
|
|
|
|
nsCertOverride::OverrideBits ob,
|
|
|
|
|
const nsACString &dbKey)
|
|
|
|
|
{
|
2012-09-02 02:35:17 +00:00
|
|
|
nsAutoCString hostPort;
|
2008-04-22 20:03:20 +00:00
|
|
|
GetHostWithPort(aHostName, aPort, hostPort);
|
2007-10-03 11:43:54 +00:00
|
|
|
|
|
|
|
|
{
|
2011-04-29 19:21:57 +00:00
|
|
|
ReentrantMonitorAutoEnter lock(monitor);
|
2008-04-22 20:03:20 +00:00
|
|
|
nsCertOverrideEntry *entry = mSettingsTable.PutEntry(hostPort.get());
|
2007-10-03 11:43:54 +00:00
|
|
|
|
|
|
|
|
if (!entry) {
|
|
|
|
|
NS_ERROR("can't insert a null entry!");
|
|
|
|
|
return NS_ERROR_OUT_OF_MEMORY;
|
|
|
|
|
}
|
|
|
|
|
|
2008-04-22 20:03:20 +00:00
|
|
|
entry->mHostWithPort = hostPort;
|
|
|
|
|
|
2007-10-03 11:43:54 +00:00
|
|
|
nsCertOverride &settings = entry->mSettings;
|
2008-04-22 20:03:20 +00:00
|
|
|
settings.mAsciiHost = aHostName;
|
|
|
|
|
settings.mPort = aPort;
|
2007-11-19 15:32:43 +00:00
|
|
|
settings.mIsTemporary = aIsTemporary;
|
2007-10-03 11:43:54 +00:00
|
|
|
settings.mFingerprintAlgOID = fingerprintAlgOID;
|
|
|
|
|
settings.mFingerprint = fingerprint;
|
|
|
|
|
settings.mOverrideBits = ob;
|
|
|
|
|
settings.mDBKey = dbKey;
|
2008-10-23 02:16:06 +00:00
|
|
|
settings.mCert = aCert;
|
2007-10-03 11:43:54 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return NS_OK;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
NS_IMETHODIMP
|
2012-08-22 15:56:38 +00:00
|
|
|
nsCertOverrideService::ClearValidityOverride(const nsACString & aHostName, int32_t aPort)
|
2007-10-03 11:43:54 +00:00
|
|
|
{
|
2010-05-25 14:34:13 +00:00
|
|
|
if (aPort == 0 &&
|
|
|
|
|
aHostName.EqualsLiteral("all:temporary-certificates")) {
|
|
|
|
|
RemoveAllTemporaryOverrides();
|
|
|
|
|
return NS_OK;
|
|
|
|
|
}
|
2012-09-02 02:35:17 +00:00
|
|
|
nsAutoCString hostPort;
|
2008-04-22 20:03:20 +00:00
|
|
|
GetHostWithPort(aHostName, aPort, hostPort);
|
2007-10-03 11:43:54 +00:00
|
|
|
{
|
2011-04-29 19:21:57 +00:00
|
|
|
ReentrantMonitorAutoEnter lock(monitor);
|
2008-04-22 20:03:20 +00:00
|
|
|
mSettingsTable.RemoveEntry(hostPort.get());
|
2007-10-03 11:43:54 +00:00
|
|
|
Write();
|
|
|
|
|
}
|
2014-10-24 17:46:30 +00:00
|
|
|
|
|
|
|
|
if (EnsureNSSInitialized(nssEnsure)) {
|
|
|
|
|
SSL_ClearSessionCache();
|
|
|
|
|
} else {
|
|
|
|
|
return NS_ERROR_NOT_AVAILABLE;
|
|
|
|
|
}
|
|
|
|
|
|
2007-10-03 11:43:54 +00:00
|
|
|
return NS_OK;
|
|
|
|
|
}
|
|
|
|
|
|
2014-10-29 23:25:16 +00:00
|
|
|
static PLDHashOperator
|
|
|
|
|
CountPermanentEntriesCallback(nsCertOverrideEntry* aEntry, void* aArg)
|
2007-10-03 11:43:54 +00:00
|
|
|
{
|
2014-10-29 23:25:16 +00:00
|
|
|
uint32_t* overrideCount = reinterpret_cast<uint32_t*>(aArg);
|
|
|
|
|
if (aEntry && !aEntry->mSettings.mIsTemporary) {
|
|
|
|
|
*overrideCount = *overrideCount + 1;
|
|
|
|
|
return PL_DHASH_NEXT;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return PL_DHASH_NEXT;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
void
|
|
|
|
|
nsCertOverrideService::CountPermanentOverrideTelemetry()
|
|
|
|
|
{
|
|
|
|
|
ReentrantMonitorAutoEnter lock(monitor);
|
|
|
|
|
uint32_t overrideCount = 0;
|
|
|
|
|
mSettingsTable.EnumerateEntries(CountPermanentEntriesCallback,
|
|
|
|
|
&overrideCount);
|
|
|
|
|
Telemetry::Accumulate(Telemetry::SSL_PERMANENT_CERT_ERROR_OVERRIDES,
|
|
|
|
|
overrideCount);
|
2007-10-03 11:43:54 +00:00
|
|
|
}
|
|
|
|
|
|
2011-09-29 06:19:26 +00:00
|
|
|
static bool
|
2007-10-03 11:43:54 +00:00
|
|
|
matchesDBKey(nsIX509Cert *cert, const char *match_dbkey)
|
|
|
|
|
{
|
2012-10-17 20:48:36 +00:00
|
|
|
char *dbkey = nullptr;
|
2007-10-03 11:43:54 +00:00
|
|
|
nsresult rv = cert->GetDbKey(&dbkey);
|
|
|
|
|
if (NS_FAILED(rv) || !dbkey)
|
2011-10-17 14:59:28 +00:00
|
|
|
return false;
|
2007-10-03 11:43:54 +00:00
|
|
|
|
2011-09-29 06:19:26 +00:00
|
|
|
bool found_mismatch = false;
|
2007-10-03 11:43:54 +00:00
|
|
|
const char *key1 = dbkey;
|
|
|
|
|
const char *key2 = match_dbkey;
|
|
|
|
|
|
|
|
|
|
// skip over any whitespace when comparing
|
|
|
|
|
while (*key1 && *key2) {
|
|
|
|
|
char c1 = *key1;
|
|
|
|
|
char c2 = *key2;
|
|
|
|
|
|
|
|
|
|
switch (c1) {
|
|
|
|
|
case ' ':
|
|
|
|
|
case '\t':
|
|
|
|
|
case '\n':
|
|
|
|
|
case '\r':
|
|
|
|
|
++key1;
|
|
|
|
|
continue;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
switch (c2) {
|
|
|
|
|
case ' ':
|
|
|
|
|
case '\t':
|
|
|
|
|
case '\n':
|
|
|
|
|
case '\r':
|
|
|
|
|
++key2;
|
|
|
|
|
continue;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if (c1 != c2) {
|
2011-10-17 14:59:28 +00:00
|
|
|
found_mismatch = true;
|
2007-10-03 11:43:54 +00:00
|
|
|
break;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
++key1;
|
|
|
|
|
++key2;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
PR_Free(dbkey);
|
|
|
|
|
return !found_mismatch;
|
|
|
|
|
}
|
|
|
|
|
|
2007-11-19 15:32:43 +00:00
|
|
|
struct nsCertAndBoolsAndInt
|
2007-10-03 11:43:54 +00:00
|
|
|
{
|
|
|
|
|
nsIX509Cert *cert;
|
2011-09-29 06:19:26 +00:00
|
|
|
bool aCheckTemporaries;
|
|
|
|
|
bool aCheckPermanents;
|
2012-08-22 15:56:38 +00:00
|
|
|
uint32_t counter;
|
2007-10-03 11:43:54 +00:00
|
|
|
|
|
|
|
|
SECOidTag mOidTagForStoringNewHashes;
|
|
|
|
|
nsCString mDottedOidForStoringNewHashes;
|
|
|
|
|
};
|
|
|
|
|
|
2012-10-08 16:15:12 +00:00
|
|
|
static PLDHashOperator
|
2007-10-03 11:43:54 +00:00
|
|
|
FindMatchingCertCallback(nsCertOverrideEntry *aEntry,
|
|
|
|
|
void *aArg)
|
|
|
|
|
{
|
2007-11-19 15:32:43 +00:00
|
|
|
nsCertAndBoolsAndInt *cai = (nsCertAndBoolsAndInt *)aArg;
|
2007-10-03 11:43:54 +00:00
|
|
|
|
|
|
|
|
if (cai && aEntry)
|
|
|
|
|
{
|
|
|
|
|
const nsCertOverride &settings = aEntry->mSettings;
|
2011-09-29 06:19:26 +00:00
|
|
|
bool still_ok = true;
|
2007-11-19 15:32:43 +00:00
|
|
|
|
|
|
|
|
if ((settings.mIsTemporary && !cai->aCheckTemporaries)
|
|
|
|
|
||
|
|
|
|
|
(!settings.mIsTemporary && !cai->aCheckPermanents)) {
|
2011-10-17 14:59:28 +00:00
|
|
|
still_ok = false;
|
2007-11-19 15:32:43 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if (still_ok && matchesDBKey(cai->cert, settings.mDBKey.get())) {
|
2012-09-02 02:35:17 +00:00
|
|
|
nsAutoCString cert_fingerprint;
|
2014-10-24 17:46:30 +00:00
|
|
|
nsresult rv = NS_ERROR_UNEXPECTED;
|
2007-10-03 11:43:54 +00:00
|
|
|
if (settings.mFingerprintAlgOID.Equals(cai->mDottedOidForStoringNewHashes)) {
|
|
|
|
|
rv = GetCertFingerprintByOidTag(cai->cert,
|
|
|
|
|
cai->mOidTagForStoringNewHashes, cert_fingerprint);
|
|
|
|
|
}
|
|
|
|
|
if (NS_SUCCEEDED(rv) &&
|
|
|
|
|
settings.mFingerprint.Equals(cert_fingerprint)) {
|
|
|
|
|
cai->counter++;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return PL_DHASH_NEXT;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
NS_IMETHODIMP
|
|
|
|
|
nsCertOverrideService::IsCertUsedForOverrides(nsIX509Cert *aCert,
|
2011-09-29 06:19:26 +00:00
|
|
|
bool aCheckTemporaries,
|
|
|
|
|
bool aCheckPermanents,
|
2012-08-22 15:56:38 +00:00
|
|
|
uint32_t *_retval)
|
2007-10-03 11:43:54 +00:00
|
|
|
{
|
|
|
|
|
NS_ENSURE_ARG(aCert);
|
|
|
|
|
NS_ENSURE_ARG(_retval);
|
|
|
|
|
|
2007-11-19 15:32:43 +00:00
|
|
|
nsCertAndBoolsAndInt cai;
|
2007-10-03 11:43:54 +00:00
|
|
|
cai.cert = aCert;
|
2007-11-19 15:32:43 +00:00
|
|
|
cai.aCheckTemporaries = aCheckTemporaries;
|
|
|
|
|
cai.aCheckPermanents = aCheckPermanents;
|
2007-10-03 11:43:54 +00:00
|
|
|
cai.counter = 0;
|
|
|
|
|
cai.mOidTagForStoringNewHashes = mOidTagForStoringNewHashes;
|
|
|
|
|
cai.mDottedOidForStoringNewHashes = mDottedOidForStoringNewHashes;
|
|
|
|
|
|
|
|
|
|
{
|
2011-04-29 19:21:57 +00:00
|
|
|
ReentrantMonitorAutoEnter lock(monitor);
|
2007-10-03 11:43:54 +00:00
|
|
|
mSettingsTable.EnumerateEntries(FindMatchingCertCallback, &cai);
|
|
|
|
|
}
|
|
|
|
|
*_retval = cai.counter;
|
|
|
|
|
return NS_OK;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
struct nsCertAndPointerAndCallback
|
|
|
|
|
{
|
|
|
|
|
nsIX509Cert *cert;
|
|
|
|
|
void *userdata;
|
|
|
|
|
nsCertOverrideService::CertOverrideEnumerator enumerator;
|
|
|
|
|
|
|
|
|
|
SECOidTag mOidTagForStoringNewHashes;
|
|
|
|
|
nsCString mDottedOidForStoringNewHashes;
|
|
|
|
|
};
|
|
|
|
|
|
2012-10-08 16:15:12 +00:00
|
|
|
static PLDHashOperator
|
2007-10-03 11:43:54 +00:00
|
|
|
EnumerateCertOverridesCallback(nsCertOverrideEntry *aEntry,
|
|
|
|
|
void *aArg)
|
|
|
|
|
{
|
|
|
|
|
nsCertAndPointerAndCallback *capac = (nsCertAndPointerAndCallback *)aArg;
|
|
|
|
|
|
|
|
|
|
if (capac && aEntry)
|
|
|
|
|
{
|
|
|
|
|
const nsCertOverride &settings = aEntry->mSettings;
|
|
|
|
|
|
|
|
|
|
if (!capac->cert) {
|
|
|
|
|
(*capac->enumerator)(settings, capac->userdata);
|
|
|
|
|
}
|
|
|
|
|
else {
|
|
|
|
|
if (matchesDBKey(capac->cert, settings.mDBKey.get())) {
|
2012-09-02 02:35:17 +00:00
|
|
|
nsAutoCString cert_fingerprint;
|
2014-10-24 17:46:30 +00:00
|
|
|
nsresult rv = NS_ERROR_UNEXPECTED;
|
2007-10-03 11:43:54 +00:00
|
|
|
if (settings.mFingerprintAlgOID.Equals(capac->mDottedOidForStoringNewHashes)) {
|
|
|
|
|
rv = GetCertFingerprintByOidTag(capac->cert,
|
|
|
|
|
capac->mOidTagForStoringNewHashes, cert_fingerprint);
|
|
|
|
|
}
|
|
|
|
|
if (NS_SUCCEEDED(rv) &&
|
|
|
|
|
settings.mFingerprint.Equals(cert_fingerprint)) {
|
|
|
|
|
(*capac->enumerator)(settings, capac->userdata);
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return PL_DHASH_NEXT;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
nsresult
|
|
|
|
|
nsCertOverrideService::EnumerateCertOverrides(nsIX509Cert *aCert,
|
|
|
|
|
CertOverrideEnumerator enumerator,
|
|
|
|
|
void *aUserData)
|
|
|
|
|
{
|
|
|
|
|
nsCertAndPointerAndCallback capac;
|
|
|
|
|
capac.cert = aCert;
|
|
|
|
|
capac.userdata = aUserData;
|
|
|
|
|
capac.enumerator = enumerator;
|
|
|
|
|
capac.mOidTagForStoringNewHashes = mOidTagForStoringNewHashes;
|
|
|
|
|
capac.mDottedOidForStoringNewHashes = mDottedOidForStoringNewHashes;
|
|
|
|
|
|
|
|
|
|
{
|
2011-04-29 19:21:57 +00:00
|
|
|
ReentrantMonitorAutoEnter lock(monitor);
|
2007-10-03 11:43:54 +00:00
|
|
|
mSettingsTable.EnumerateEntries(EnumerateCertOverridesCallback, &capac);
|
|
|
|
|
}
|
|
|
|
|
return NS_OK;
|
|
|
|
|
}
|
2008-04-22 20:03:20 +00:00
|
|
|
|
|
|
|
|
void
|
2012-08-22 15:56:38 +00:00
|
|
|
nsCertOverrideService::GetHostWithPort(const nsACString & aHostName, int32_t aPort, nsACString& _retval)
|
2008-04-22 20:03:20 +00:00
|
|
|
{
|
2012-09-02 02:35:17 +00:00
|
|
|
nsAutoCString hostPort(aHostName);
|
2009-03-18 14:59:57 +00:00
|
|
|
if (aPort == -1) {
|
2008-04-22 20:03:20 +00:00
|
|
|
aPort = 443;
|
2009-03-18 14:59:57 +00:00
|
|
|
}
|
|
|
|
|
if (!hostPort.IsEmpty()) {
|
2014-05-22 03:48:51 +00:00
|
|
|
hostPort.Append(':');
|
2009-03-18 14:59:57 +00:00
|
|
|
hostPort.AppendInt(aPort);
|
|
|
|
|
}
|
2008-04-22 20:03:20 +00:00
|
|
|
_retval.Assign(hostPort);
|
2009-03-18 14:59:57 +00:00
|
|
|
}
|
