mirror of
https://github.com/mozilla/gecko-dev.git
synced 2024-11-28 23:31:56 +00:00
b503616295
# ignore-this-changeset Differential Revision: https://phabricator.services.mozilla.com/D36056 --HG-- extra : source : 2616392f26053ee376b9126fbca696de5d4bb15b
234 lines
7.2 KiB
JavaScript
234 lines
7.2 KiB
JavaScript
/* -*- Mode: C++; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
|
|
/* This Source Code Form is subject to the terms of the Mozilla Public
|
|
* License, v. 2.0. If a copy of the MPL was not distributed with this
|
|
* file, You can obtain one at http://mozilla.org/MPL/2.0/. */
|
|
var EXPORTED_SYMBOLS = ["CertUtils"];
|
|
|
|
const Ce = Components.Exception;
|
|
|
|
const { Services } = ChromeUtils.import("resource://gre/modules/Services.jsm");
|
|
|
|
/**
|
|
* Reads a set of expected certificate attributes from preferences. The returned
|
|
* array can be passed to validateCert or checkCert to validate that a
|
|
* certificate matches the expected attributes. The preferences should look like
|
|
* this:
|
|
* prefix.1.attribute1
|
|
* prefix.1.attribute2
|
|
* prefix.2.attribute1
|
|
* etc.
|
|
* Each numeric branch contains a set of required attributes for a single
|
|
* certificate. Having multiple numeric branches means that multiple
|
|
* certificates would be accepted by validateCert.
|
|
*
|
|
* @param aPrefBranch
|
|
* The prefix for all preferences, should end with a ".".
|
|
* @return An array of JS objects with names / values corresponding to the
|
|
* expected certificate's attribute names / values.
|
|
*/
|
|
function readCertPrefs(aPrefBranch) {
|
|
if (Services.prefs.getBranch(aPrefBranch).getChildList("").length == 0) {
|
|
return null;
|
|
}
|
|
|
|
let certs = [];
|
|
let counter = 1;
|
|
while (true) {
|
|
let prefBranchCert = Services.prefs.getBranch(aPrefBranch + counter + ".");
|
|
let prefCertAttrs = prefBranchCert.getChildList("");
|
|
if (prefCertAttrs.length == 0) {
|
|
break;
|
|
}
|
|
|
|
let certAttrs = {};
|
|
for (let prefCertAttr of prefCertAttrs) {
|
|
certAttrs[prefCertAttr] = prefBranchCert.getCharPref(prefCertAttr);
|
|
}
|
|
|
|
certs.push(certAttrs);
|
|
counter++;
|
|
}
|
|
|
|
return certs;
|
|
}
|
|
|
|
/**
|
|
* Verifies that an nsIX509Cert matches the expected certificate attribute
|
|
* values.
|
|
*
|
|
* @param aCertificate
|
|
* The nsIX509Cert to compare to the expected attributes.
|
|
* @param aCerts
|
|
* An array of JS objects with names / values corresponding to the
|
|
* expected certificate's attribute names / values. If this is null or
|
|
* an empty array then no checks are performed.
|
|
* @throws NS_ERROR_ILLEGAL_VALUE if a certificate attribute name from the
|
|
* aCerts param does not exist or the value for a certificate attribute
|
|
* from the aCerts param is different than the expected value or
|
|
* aCertificate wasn't specified and aCerts is not null or an empty
|
|
* array.
|
|
*/
|
|
function validateCert(aCertificate, aCerts) {
|
|
// If there are no certificate requirements then just exit
|
|
if (!aCerts || aCerts.length == 0) {
|
|
return;
|
|
}
|
|
|
|
if (!aCertificate) {
|
|
const missingCertErr = "A required certificate was not present.";
|
|
Cu.reportError(missingCertErr);
|
|
throw new Ce(missingCertErr, Cr.NS_ERROR_ILLEGAL_VALUE);
|
|
}
|
|
|
|
var errors = [];
|
|
for (var i = 0; i < aCerts.length; ++i) {
|
|
var error = false;
|
|
var certAttrs = aCerts[i];
|
|
for (var name in certAttrs) {
|
|
if (!(name in aCertificate)) {
|
|
error = true;
|
|
errors.push(
|
|
"Expected attribute '" + name + "' not present in certificate."
|
|
);
|
|
break;
|
|
}
|
|
if (aCertificate[name] != certAttrs[name]) {
|
|
error = true;
|
|
errors.push(
|
|
"Expected certificate attribute '" +
|
|
name +
|
|
"' " +
|
|
"value incorrect, expected: '" +
|
|
certAttrs[name] +
|
|
"', got: '" +
|
|
aCertificate[name] +
|
|
"'."
|
|
);
|
|
break;
|
|
}
|
|
}
|
|
|
|
if (!error) {
|
|
break;
|
|
}
|
|
}
|
|
|
|
if (error) {
|
|
errors.forEach(Cu.reportError.bind(Cu));
|
|
const certCheckErr =
|
|
"Certificate checks failed. See previous errors for details.";
|
|
Cu.reportError(certCheckErr);
|
|
throw new Ce(certCheckErr, Cr.NS_ERROR_ILLEGAL_VALUE);
|
|
}
|
|
}
|
|
|
|
/**
|
|
* Checks if the connection must be HTTPS and if so, only allows built-in
|
|
* certificates and validates application specified certificate attribute
|
|
* values.
|
|
* See bug 340198 and bug 544442.
|
|
*
|
|
* @param aChannel
|
|
* The nsIChannel that will have its certificate checked.
|
|
* @param aAllowNonBuiltInCerts (optional)
|
|
* When true certificates that aren't builtin are allowed. When false
|
|
* or not specified the certificate must be a builtin certificate.
|
|
* @param aCerts (optional)
|
|
* An array of JS objects with names / values corresponding to the
|
|
* channel's expected certificate's attribute names / values. If it
|
|
* isn't null or not specified the the scheme for the channel's
|
|
* originalURI must be https.
|
|
* @throws NS_ERROR_UNEXPECTED if a certificate is expected and the URI scheme
|
|
* is not https.
|
|
* NS_ERROR_ILLEGAL_VALUE if a certificate attribute name from the
|
|
* aCerts param does not exist or the value for a certificate attribute
|
|
* from the aCerts param is different than the expected value.
|
|
* NS_ERROR_ABORT if the certificate issuer is not built-in.
|
|
*/
|
|
function checkCert(aChannel, aAllowNonBuiltInCerts, aCerts) {
|
|
if (!aChannel.originalURI.schemeIs("https")) {
|
|
// Require https if there are certificate values to verify
|
|
if (aCerts) {
|
|
throw new Ce(
|
|
"SSL is required and URI scheme is not https.",
|
|
Cr.NS_ERROR_UNEXPECTED
|
|
);
|
|
}
|
|
return;
|
|
}
|
|
|
|
let secInfo = aChannel.securityInfo.QueryInterface(
|
|
Ci.nsITransportSecurityInfo
|
|
);
|
|
let cert = secInfo.serverCert;
|
|
|
|
validateCert(cert, aCerts);
|
|
|
|
if (aAllowNonBuiltInCerts === true) {
|
|
return;
|
|
}
|
|
|
|
let issuerCert = null;
|
|
// eslint-disable-next-line no-empty
|
|
for (issuerCert of secInfo.succeededCertChain.getEnumerator()) {
|
|
}
|
|
|
|
const certNotBuiltInErr = "Certificate issuer is not built-in.";
|
|
if (!issuerCert) {
|
|
throw new Ce(certNotBuiltInErr, Cr.NS_ERROR_ABORT);
|
|
}
|
|
|
|
if (!issuerCert.isBuiltInRoot) {
|
|
throw new Ce(certNotBuiltInErr, Cr.NS_ERROR_ABORT);
|
|
}
|
|
}
|
|
|
|
/**
|
|
* This class implements nsIBadCertListener. Its job is to prevent "bad cert"
|
|
* security dialogs from being shown to the user. It is better to simply fail
|
|
* if the certificate is bad. See bug 304286.
|
|
*
|
|
* @param aAllowNonBuiltInCerts (optional)
|
|
* When true certificates that aren't builtin are allowed. When false
|
|
* or not specified the certificate must be a builtin certificate.
|
|
*/
|
|
function BadCertHandler(aAllowNonBuiltInCerts) {
|
|
this.allowNonBuiltInCerts = aAllowNonBuiltInCerts;
|
|
}
|
|
BadCertHandler.prototype = {
|
|
// nsIChannelEventSink
|
|
asyncOnChannelRedirect(oldChannel, newChannel, flags, callback) {
|
|
if (this.allowNonBuiltInCerts) {
|
|
callback.onRedirectVerifyCallback(Cr.NS_OK);
|
|
return;
|
|
}
|
|
|
|
// make sure the certificate of the old channel checks out before we follow
|
|
// a redirect from it. See bug 340198.
|
|
// Don't call checkCert for internal redirects. See bug 569648.
|
|
if (!(flags & Ci.nsIChannelEventSink.REDIRECT_INTERNAL)) {
|
|
checkCert(oldChannel);
|
|
}
|
|
|
|
callback.onRedirectVerifyCallback(Cr.NS_OK);
|
|
},
|
|
|
|
// nsIInterfaceRequestor
|
|
getInterface(iid) {
|
|
return this.QueryInterface(iid);
|
|
},
|
|
|
|
// nsISupports
|
|
QueryInterface: ChromeUtils.generateQI([
|
|
"nsIChannelEventSink",
|
|
"nsIInterfaceRequestor",
|
|
]),
|
|
};
|
|
|
|
var CertUtils = {
|
|
BadCertHandler,
|
|
checkCert,
|
|
readCertPrefs,
|
|
validateCert,
|
|
};
|