mirror of
https://github.com/mozilla/gecko-dev.git
synced 2024-10-20 16:55:40 +00:00
Bug 1560354 - Transform some nss types into gecko types. r=keeler
Differential Revision: https://phabricator.services.mozilla.com/D35566 --HG-- extra : moz-landing-system : lando
This commit is contained in:
parent
0a2a769367
commit
1ed2904c50
@ -447,8 +447,8 @@ Result CertVerifier::VerifyCert(
|
||||
const char* hostname,
|
||||
/*out*/ UniqueCERTCertList& builtChain,
|
||||
/*optional*/ const Flags flags,
|
||||
/*optional*/ const SECItem* stapledOCSPResponseSECItem,
|
||||
/*optional*/ const SECItem* sctsFromTLSSECItem,
|
||||
/*optional*/ const Maybe<nsTArray<uint8_t>>& stapledOCSPResponseArg,
|
||||
/*optional*/ const Maybe<nsTArray<uint8_t>>& sctsFromTLS,
|
||||
/*optional*/ const OriginAttributes& originAttributes,
|
||||
/*optional out*/ SECOidTag* evOidPolicy,
|
||||
/*optional out*/ OCSPStaplingStatus* ocspStaplingStatus,
|
||||
@ -516,9 +516,9 @@ Result CertVerifier::VerifyCert(
|
||||
|
||||
Input stapledOCSPResponseInput;
|
||||
const Input* stapledOCSPResponse = nullptr;
|
||||
if (stapledOCSPResponseSECItem) {
|
||||
rv = stapledOCSPResponseInput.Init(stapledOCSPResponseSECItem->data,
|
||||
stapledOCSPResponseSECItem->len);
|
||||
if (stapledOCSPResponseArg) {
|
||||
rv = stapledOCSPResponseInput.Init(stapledOCSPResponseArg->Elements(),
|
||||
stapledOCSPResponseArg->Length());
|
||||
if (rv != Success) {
|
||||
// The stapled OCSP response was too big.
|
||||
return Result::ERROR_OCSP_MALFORMED_RESPONSE;
|
||||
@ -527,12 +527,12 @@ Result CertVerifier::VerifyCert(
|
||||
}
|
||||
|
||||
Input sctsFromTLSInput;
|
||||
if (sctsFromTLSSECItem) {
|
||||
rv = sctsFromTLSInput.Init(sctsFromTLSSECItem->data,
|
||||
sctsFromTLSSECItem->len);
|
||||
// Silently discard the error of the extension being too big,
|
||||
// do not fail the verification.
|
||||
MOZ_ASSERT(rv == Success);
|
||||
if (sctsFromTLS) {
|
||||
rv = sctsFromTLSInput.Init(sctsFromTLS->Elements(),
|
||||
sctsFromTLS->Length());
|
||||
if (rv != Success && sctsFromTLSInput.GetLength() != 0) {
|
||||
return Result::FATAL_ERROR_LIBRARY_FAILURE;
|
||||
}
|
||||
}
|
||||
|
||||
switch (usage) {
|
||||
@ -854,8 +854,8 @@ static bool CertIsSelfSigned(const UniqueCERTCertificate& cert, void* pinarg) {
|
||||
|
||||
Result CertVerifier::VerifySSLServerCert(
|
||||
const UniqueCERTCertificate& peerCert,
|
||||
/*optional*/ const SECItem* stapledOCSPResponse,
|
||||
/*optional*/ const SECItem* sctsFromTLS, Time time,
|
||||
/*optional*/ const Maybe<nsTArray<uint8_t>>& stapledOCSPResponse,
|
||||
/*optional*/ const Maybe<nsTArray<uint8_t>>& sctsFromTLS, Time time,
|
||||
/*optional*/ void* pinarg, const nsACString& hostname,
|
||||
/*out*/ UniqueCERTCertList& builtChain,
|
||||
/*optional*/ bool saveIntermediatesInPermanentDatabase,
|
||||
@ -924,8 +924,8 @@ Result CertVerifier::VerifySSLServerCert(
|
||||
Input stapledOCSPResponseInput;
|
||||
Input* responseInputPtr = nullptr;
|
||||
if (stapledOCSPResponse) {
|
||||
rv = stapledOCSPResponseInput.Init(stapledOCSPResponse->data,
|
||||
stapledOCSPResponse->len);
|
||||
rv = stapledOCSPResponseInput.Init(stapledOCSPResponse->Elements(),
|
||||
stapledOCSPResponse->Length());
|
||||
if (rv != Success) {
|
||||
// The stapled OCSP response was too big.
|
||||
return Result::ERROR_OCSP_MALFORMED_RESPONSE;
|
||||
|
@ -146,8 +146,8 @@ class CertVerifier {
|
||||
CERTCertificate* cert, SECCertificateUsage usage,
|
||||
mozilla::pkix::Time time, void* pinArg, const char* hostname,
|
||||
/*out*/ UniqueCERTCertList& builtChain, Flags flags = 0,
|
||||
/*optional in*/ const SECItem* stapledOCSPResponse = nullptr,
|
||||
/*optional in*/ const SECItem* sctsFromTLS = nullptr,
|
||||
/*optional in*/ const Maybe<nsTArray<uint8_t>>& stapledOCSPResponseArg = Maybe<nsTArray<uint8_t>>(),
|
||||
/*optional in*/ const Maybe<nsTArray<uint8_t>>& sctsFromTLS = Maybe<nsTArray<uint8_t>>(),
|
||||
/*optional in*/ const OriginAttributes& originAttributes =
|
||||
OriginAttributes(),
|
||||
/*optional out*/ SECOidTag* evOidPolicy = nullptr,
|
||||
@ -159,8 +159,8 @@ class CertVerifier {
|
||||
|
||||
mozilla::pkix::Result VerifySSLServerCert(
|
||||
const UniqueCERTCertificate& peerCert,
|
||||
/*optional*/ const SECItem* stapledOCSPResponse,
|
||||
/*optional*/ const SECItem* sctsFromTLS, mozilla::pkix::Time time,
|
||||
/*optional*/ const Maybe<nsTArray<uint8_t>>& stapledOCSPResponse,
|
||||
/*optional*/ const Maybe<nsTArray<uint8_t>>& sctsFromTLS, mozilla::pkix::Time time,
|
||||
/*optional*/ void* pinarg, const nsACString& hostname,
|
||||
/*out*/ UniqueCERTCertList& builtChain,
|
||||
/*optional*/ bool saveIntermediatesInPermanentDatabase = false,
|
||||
|
@ -731,8 +731,8 @@ class SSLServerCertVerificationJob : public Runnable {
|
||||
nsNSSSocketInfo* infoObject,
|
||||
const UniqueCERTCertificate& serverCert,
|
||||
const UniqueCERTCertList& peerCertChain,
|
||||
const SECItem* stapledOCSPResponse,
|
||||
const SECItem* sctsFromTLSExtension,
|
||||
Maybe<nsTArray<uint8_t>>& stapledOCSPResponse,
|
||||
Maybe<nsTArray<uint8_t>>& sctsFromTLSExtension,
|
||||
uint32_t providerFlags, Time time, PRTime prtime);
|
||||
|
||||
private:
|
||||
@ -742,9 +742,10 @@ class SSLServerCertVerificationJob : public Runnable {
|
||||
SSLServerCertVerificationJob(
|
||||
const RefPtr<SharedCertVerifier>& certVerifier, const void* fdForLogging,
|
||||
nsNSSSocketInfo* infoObject, const UniqueCERTCertificate& cert,
|
||||
UniqueCERTCertList peerCertChain, const SECItem* stapledOCSPResponse,
|
||||
const SECItem* sctsFromTLSExtension, uint32_t providerFlags, Time time,
|
||||
PRTime prtime);
|
||||
UniqueCERTCertList peerCertChain,
|
||||
Maybe<nsTArray<uint8_t>>& stapledOCSPResponse,
|
||||
Maybe<nsTArray<uint8_t>>& sctsFromTLSExtension,
|
||||
uint32_t providerFlags, Time time, PRTime prtime);
|
||||
const RefPtr<SharedCertVerifier> mCertVerifier;
|
||||
const void* const mFdForLogging;
|
||||
const RefPtr<nsNSSSocketInfo> mInfoObject;
|
||||
@ -754,16 +755,17 @@ class SSLServerCertVerificationJob : public Runnable {
|
||||
const Time mTime;
|
||||
const PRTime mPRTime;
|
||||
const TimeStamp mJobStartTime;
|
||||
const UniqueSECItem mStapledOCSPResponse;
|
||||
const UniqueSECItem mSCTsFromTLSExtension;
|
||||
Maybe<nsTArray<uint8_t>> mStapledOCSPResponse;
|
||||
Maybe<nsTArray<uint8_t>> mSCTsFromTLSExtension;
|
||||
};
|
||||
|
||||
SSLServerCertVerificationJob::SSLServerCertVerificationJob(
|
||||
const RefPtr<SharedCertVerifier>& certVerifier, const void* fdForLogging,
|
||||
nsNSSSocketInfo* infoObject, const UniqueCERTCertificate& cert,
|
||||
UniqueCERTCertList peerCertChain, const SECItem* stapledOCSPResponse,
|
||||
const SECItem* sctsFromTLSExtension, uint32_t providerFlags, Time time,
|
||||
PRTime prtime)
|
||||
UniqueCERTCertList peerCertChain,
|
||||
Maybe<nsTArray<uint8_t>>& stapledOCSPResponse,
|
||||
Maybe<nsTArray<uint8_t>>& sctsFromTLSExtension, uint32_t providerFlags,
|
||||
Time time, PRTime prtime)
|
||||
: Runnable("psm::SSLServerCertVerificationJob"),
|
||||
mCertVerifier(certVerifier),
|
||||
mFdForLogging(fdForLogging),
|
||||
@ -774,8 +776,8 @@ SSLServerCertVerificationJob::SSLServerCertVerificationJob(
|
||||
mTime(time),
|
||||
mPRTime(prtime),
|
||||
mJobStartTime(TimeStamp::Now()),
|
||||
mStapledOCSPResponse(SECITEM_DupItem(stapledOCSPResponse)),
|
||||
mSCTsFromTLSExtension(SECITEM_DupItem(sctsFromTLSExtension)) {}
|
||||
mStapledOCSPResponse(std::move(stapledOCSPResponse)),
|
||||
mSCTsFromTLSExtension(std::move(sctsFromTLSExtension)) {}
|
||||
|
||||
// This function assumes that we will only use the SPDY connection coalescing
|
||||
// feature on connections where we have negotiated SPDY using NPN. If we ever
|
||||
@ -1275,8 +1277,8 @@ SECStatus AuthCertificate(CertVerifier& certVerifier,
|
||||
nsNSSSocketInfo* infoObject,
|
||||
const UniqueCERTCertificate& cert,
|
||||
UniqueCERTCertList& peerCertChain,
|
||||
const SECItem* stapledOCSPResponse,
|
||||
const SECItem* sctsFromTLSExtension,
|
||||
const Maybe<nsTArray<uint8_t>>& stapledOCSPResponse,
|
||||
const Maybe<nsTArray<uint8_t>>& sctsFromTLSExtension,
|
||||
uint32_t providerFlags, Time time) {
|
||||
MOZ_ASSERT(infoObject);
|
||||
MOZ_ASSERT(cert);
|
||||
@ -1379,9 +1381,10 @@ SECStatus AuthCertificate(CertVerifier& certVerifier,
|
||||
SECStatus SSLServerCertVerificationJob::Dispatch(
|
||||
const RefPtr<SharedCertVerifier>& certVerifier, const void* fdForLogging,
|
||||
nsNSSSocketInfo* infoObject, const UniqueCERTCertificate& serverCert,
|
||||
const UniqueCERTCertList& peerCertChain, const SECItem* stapledOCSPResponse,
|
||||
const SECItem* sctsFromTLSExtension, uint32_t providerFlags, Time time,
|
||||
PRTime prtime) {
|
||||
const UniqueCERTCertList& peerCertChain,
|
||||
Maybe<nsTArray<uint8_t>>& stapledOCSPResponse,
|
||||
Maybe<nsTArray<uint8_t>>& sctsFromTLSExtension, uint32_t providerFlags,
|
||||
Time time, PRTime prtime) {
|
||||
// Runs on the socket transport thread
|
||||
if (!certVerifier || !infoObject || !serverCert) {
|
||||
NS_ERROR("Invalid parameters for SSL server cert validation");
|
||||
@ -1445,7 +1448,7 @@ SSLServerCertVerificationJob::Run() {
|
||||
PR_SetError(0, 0);
|
||||
SECStatus rv =
|
||||
AuthCertificate(*mCertVerifier, mInfoObject, mCert, mPeerCertChain,
|
||||
mStapledOCSPResponse.get(), mSCTsFromTLSExtension.get(),
|
||||
mStapledOCSPResponse, mSCTsFromTLSExtension,
|
||||
mProviderFlags, mTime);
|
||||
MOZ_ASSERT((mPeerCertChain && rv == SECSuccess) ||
|
||||
(!mPeerCertChain && rv != SECSuccess),
|
||||
@ -1590,18 +1593,21 @@ SECStatus AuthCertificateHook(void* arg, PRFileDesc* fd, PRBool checkSig,
|
||||
// return a stapled OCSP response.
|
||||
// We don't own these pointers.
|
||||
const SECItemArray* csa = SSL_PeerStapledOCSPResponses(fd);
|
||||
SECItem* stapledOCSPResponse = nullptr;
|
||||
Maybe<nsTArray<uint8_t>> stapledOCSPResponse;
|
||||
// we currently only support single stapled responses
|
||||
if (csa && csa->len == 1) {
|
||||
stapledOCSPResponse = &csa->items[0];
|
||||
stapledOCSPResponse.emplace();
|
||||
stapledOCSPResponse->SetCapacity(csa->items[0].len);
|
||||
stapledOCSPResponse->AppendElements(csa->items[0].data, csa->items[0].len);
|
||||
}
|
||||
|
||||
const SECItem* sctsFromTLSExtension = SSL_PeerSignedCertTimestamps(fd);
|
||||
if (sctsFromTLSExtension && sctsFromTLSExtension->len == 0) {
|
||||
// SSL_PeerSignedCertTimestamps returns null on error and empty item
|
||||
// when no extension was returned by the server. We always use null when
|
||||
// no extension was received (for whatever reason), ignoring errors.
|
||||
sctsFromTLSExtension = nullptr;
|
||||
Maybe<nsTArray<uint8_t>> sctsFromTLSExtension;
|
||||
const SECItem* sctsFromTLSExtensionSECItem = SSL_PeerSignedCertTimestamps(fd);
|
||||
if (sctsFromTLSExtensionSECItem) {
|
||||
stapledOCSPResponse.emplace();
|
||||
sctsFromTLSExtension->SetCapacity(sctsFromTLSExtensionSECItem->len);
|
||||
sctsFromTLSExtension->AppendElements(sctsFromTLSExtensionSECItem->data,
|
||||
sctsFromTLSExtensionSECItem->len);
|
||||
}
|
||||
|
||||
uint32_t providerFlags = 0;
|
||||
|
@ -1044,17 +1044,22 @@ static void RebuildVerifiedCertificateInformation(PRFileDesc* fd,
|
||||
|
||||
// We don't own these pointers.
|
||||
const SECItemArray* stapledOCSPResponses = SSL_PeerStapledOCSPResponses(fd);
|
||||
const SECItem* stapledOCSPResponse = nullptr;
|
||||
Maybe<nsTArray<uint8_t>> stapledOCSPResponse;
|
||||
// we currently only support single stapled responses
|
||||
if (stapledOCSPResponses && stapledOCSPResponses->len == 1) {
|
||||
stapledOCSPResponse = &stapledOCSPResponses->items[0];
|
||||
stapledOCSPResponse.emplace();
|
||||
stapledOCSPResponse->SetCapacity(stapledOCSPResponses->items[0].len);
|
||||
stapledOCSPResponse->AppendElements(stapledOCSPResponses->items[0].data,
|
||||
stapledOCSPResponses->items[0].len);
|
||||
}
|
||||
const SECItem* sctsFromTLSExtension = SSL_PeerSignedCertTimestamps(fd);
|
||||
if (sctsFromTLSExtension && sctsFromTLSExtension->len == 0) {
|
||||
// SSL_PeerSignedCertTimestamps returns null on error and empty item
|
||||
// when no extension was returned by the server. We always use null when
|
||||
// no extension was received (for whatever reason), ignoring errors.
|
||||
sctsFromTLSExtension = nullptr;
|
||||
|
||||
Maybe<nsTArray<uint8_t>> sctsFromTLSExtension;
|
||||
const SECItem* sctsFromTLSExtensionSECItem = SSL_PeerSignedCertTimestamps(fd);
|
||||
if (sctsFromTLSExtensionSECItem) {
|
||||
sctsFromTLSExtension.emplace();
|
||||
sctsFromTLSExtension->SetCapacity(sctsFromTLSExtensionSECItem->len);
|
||||
sctsFromTLSExtension->AppendElements(sctsFromTLSExtensionSECItem->data,
|
||||
sctsFromTLSExtensionSECItem->len);
|
||||
}
|
||||
|
||||
int flags = mozilla::psm::CertVerifier::FLAG_LOCAL_ONLY;
|
||||
@ -1068,9 +1073,9 @@ static void RebuildVerifiedCertificateInformation(PRFileDesc* fd,
|
||||
UniqueCERTCertList builtChain;
|
||||
const bool saveIntermediates = false;
|
||||
mozilla::pkix::Result rv = certVerifier->VerifySSLServerCert(
|
||||
cert, stapledOCSPResponse, sctsFromTLSExtension, mozilla::pkix::Now(),
|
||||
infoObject, infoObject->GetHostName(), builtChain, saveIntermediates,
|
||||
flags, infoObject->GetOriginAttributes(), &evOidPolicy,
|
||||
cert, stapledOCSPResponse, sctsFromTLSExtension,
|
||||
mozilla::pkix::Now(), infoObject, infoObject->GetHostName(), builtChain,
|
||||
saveIntermediates, flags, infoObject->GetOriginAttributes(), &evOidPolicy,
|
||||
nullptr, // OCSP stapling telemetry
|
||||
nullptr, // key size telemetry
|
||||
nullptr, // SHA-1 telemetry
|
||||
|
@ -1143,8 +1143,8 @@ nsresult VerifyCertAtTime(nsIX509Cert* aCert,
|
||||
if (!aHostname.IsVoid() && aUsage == certificateUsageSSLServer) {
|
||||
result = certVerifier->VerifySSLServerCert(
|
||||
nssCert,
|
||||
nullptr, // stapledOCSPResponse
|
||||
nullptr, // sctsFromTLSExtension
|
||||
Maybe<nsTArray<uint8_t>>(), // stapledOCSPResponse
|
||||
Maybe<nsTArray<uint8_t>>(), // sctsFromTLSExtension
|
||||
aTime,
|
||||
nullptr, // Assume no context
|
||||
aHostname, resultChain,
|
||||
@ -1156,8 +1156,8 @@ nsresult VerifyCertAtTime(nsIX509Cert* aCert,
|
||||
nssCert.get(), aUsage, aTime,
|
||||
nullptr, // Assume no context
|
||||
aHostname.IsVoid() ? nullptr : flatHostname.get(), resultChain, aFlags,
|
||||
nullptr, // stapledOCSPResponse
|
||||
nullptr, // sctsFromTLSExtension
|
||||
Maybe<nsTArray<uint8_t>>(), // stapledOCSPResponse
|
||||
Maybe<nsTArray<uint8_t>>(), // sctsFromTLSExtension
|
||||
OriginAttributes(), &evOidPolicy);
|
||||
}
|
||||
|
||||
|
@ -472,8 +472,8 @@ nsNSSSocketInfo::IsAcceptableForHost(const nsACString& hostname,
|
||||
UniqueCERTCertList unusedBuiltChain;
|
||||
mozilla::pkix::Result result =
|
||||
certVerifier->VerifySSLServerCert(nssCert,
|
||||
nullptr, // stapledOCSPResponse
|
||||
nullptr, // sctsFromTLSExtension
|
||||
Maybe<nsTArray<uint8_t>>(), // stapledOCSPResponse
|
||||
Maybe<nsTArray<uint8_t>>(), // sctsFromTLSExtension
|
||||
mozilla::pkix::Now(),
|
||||
nullptr, // pinarg
|
||||
hostname, unusedBuiltChain,
|
||||
|
@ -1052,10 +1052,10 @@ nsresult nsSiteSecurityService::ProcessPKPHeader(
|
||||
CertVerifier::Flags flags = CertVerifier::FLAG_LOCAL_ONLY |
|
||||
CertVerifier::FLAG_TLS_IGNORE_STATUS_REQUEST;
|
||||
if (certVerifier->VerifySSLServerCert(nssCert,
|
||||
nullptr, // stapledOCSPResponse
|
||||
nullptr, // sctsFromTLSExtension
|
||||
now, nullptr, // pinarg
|
||||
host, // hostname
|
||||
Maybe<nsTArray<uint8_t>>(), // stapledOCSPResponse
|
||||
Maybe<nsTArray<uint8_t>>(), // sctsFromTLSExtension
|
||||
now, nullptr, // pinarg
|
||||
host, // hostname
|
||||
certList,
|
||||
false, // don't store intermediates
|
||||
flags, aOriginAttributes) !=
|
||||
|
Loading…
Reference in New Issue
Block a user