mirror of
https://github.com/mozilla/gecko-dev.git
synced 2024-12-04 11:26:09 +00:00
139 lines
5.1 KiB
C++
139 lines
5.1 KiB
C++
/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
|
|
/* vim: set ts=8 sts=2 et sw=2 tw=80: */
|
|
/* This Source Code Form is subject to the terms of the Mozilla Public
|
|
* License, v. 2.0. If a copy of the MPL was not distributed with this
|
|
* file, You can obtain one at http://mozilla.org/MPL/2.0/. */
|
|
|
|
#include "RootCertificateTelemetryUtils.h"
|
|
|
|
#include "RootHashes.inc" // Note: Generated by genRootCAHashes.js
|
|
#include "ScopedNSSTypes.h"
|
|
#include "mozilla/ArrayUtils.h"
|
|
#include "mozilla/Logging.h"
|
|
#include "nsINSSComponent.h"
|
|
#include "nsNSSCertHelper.h"
|
|
#include "nsServiceManagerUtils.h"
|
|
#include "pk11pub.h"
|
|
|
|
namespace mozilla {
|
|
namespace psm {
|
|
|
|
mozilla::LazyLogModule gPublicKeyPinningTelemetryLog(
|
|
"PublicKeyPinningTelemetryService");
|
|
|
|
// Used in the BinarySearch method, this does a memcmp between the pointer
|
|
// provided to its construtor and whatever the binary search is looking for.
|
|
//
|
|
// This implementation assumes everything to be of HASH_LEN, so it should not
|
|
// be used generically.
|
|
class BinaryHashSearchArrayComparator {
|
|
public:
|
|
explicit BinaryHashSearchArrayComparator(const uint8_t* aTarget, size_t len)
|
|
: mTarget(aTarget) {
|
|
MOZ_ASSERT(len == HASH_LEN, "Hashes should be of the same length.");
|
|
}
|
|
|
|
int operator()(const CertAuthorityHash val) const {
|
|
return memcmp(mTarget, val.hash, HASH_LEN);
|
|
}
|
|
|
|
private:
|
|
const uint8_t* mTarget;
|
|
};
|
|
|
|
// Perform a hash of the provided cert, then search in the RootHashes.inc data
|
|
// structure for a matching bin number.
|
|
// If no matching root is found, this may be a CA from the softoken (cert9.db),
|
|
// it may be a CA from an external PKCS#11 token, or it may be a CA from OS
|
|
// storage (Enterprise Root).
|
|
// See also the constants in RootCertificateTelemetryUtils.h.
|
|
int32_t RootCABinNumber(Span<const uint8_t> cert) {
|
|
nsTArray<uint8_t> digestArray;
|
|
|
|
// Compute SHA256 hash of the certificate
|
|
nsresult rv = Digest::DigestBuf(SEC_OID_SHA256, cert, digestArray);
|
|
if (NS_WARN_IF(NS_FAILED(rv))) {
|
|
return ROOT_CERTIFICATE_HASH_FAILURE;
|
|
}
|
|
|
|
// Compare against list of stored hashes
|
|
size_t idx;
|
|
|
|
MOZ_LOG(gPublicKeyPinningTelemetryLog, LogLevel::Debug,
|
|
("pkpinTelem: First bytes %02x %02x %02x %02x\n",
|
|
digestArray.ElementAt(0), digestArray.ElementAt(1),
|
|
digestArray.ElementAt(2), digestArray.ElementAt(3)));
|
|
|
|
if (mozilla::BinarySearchIf(ROOT_TABLE, 0, ArrayLength(ROOT_TABLE),
|
|
BinaryHashSearchArrayComparator(
|
|
digestArray.Elements(), digestArray.Length()),
|
|
&idx)) {
|
|
MOZ_LOG(gPublicKeyPinningTelemetryLog, LogLevel::Debug,
|
|
("pkpinTelem: Telemetry index was %zu, bin is %d\n", idx,
|
|
ROOT_TABLE[idx].binNumber));
|
|
return (int32_t)ROOT_TABLE[idx].binNumber;
|
|
}
|
|
|
|
// Didn't find this certificate in the built-in list. It may be an enterprise
|
|
// root (gathered from the OS) or it may be from the softoken or an external
|
|
// PKCS#11 token.
|
|
nsCOMPtr<nsINSSComponent> component(do_GetService(PSM_COMPONENT_CONTRACTID));
|
|
if (!component) {
|
|
return ROOT_CERTIFICATE_UNKNOWN;
|
|
}
|
|
nsTArray<nsTArray<uint8_t>> enterpriseRoots;
|
|
rv = component->GetEnterpriseRoots(enterpriseRoots);
|
|
if (NS_FAILED(rv)) {
|
|
return ROOT_CERTIFICATE_UNKNOWN;
|
|
}
|
|
for (const auto& enterpriseRoot : enterpriseRoots) {
|
|
if (enterpriseRoot.Length() == cert.size() &&
|
|
memcmp(enterpriseRoot.Elements(), cert.data(),
|
|
enterpriseRoot.Length()) == 0) {
|
|
return ROOT_CERTIFICATE_ENTERPRISE_ROOT;
|
|
}
|
|
}
|
|
|
|
SECItem certItem = {siBuffer, const_cast<uint8_t*>(cert.data()),
|
|
static_cast<unsigned int>(cert.size())};
|
|
UniquePK11SlotInfo softokenSlot(PK11_GetInternalKeySlot());
|
|
if (!softokenSlot) {
|
|
return ROOT_CERTIFICATE_UNKNOWN;
|
|
}
|
|
CK_OBJECT_HANDLE softokenCertHandle =
|
|
PK11_FindEncodedCertInSlot(softokenSlot.get(), &certItem, nullptr);
|
|
if (softokenCertHandle != CK_INVALID_HANDLE) {
|
|
return ROOT_CERTIFICATE_SOFTOKEN;
|
|
}
|
|
// In theory this should never find the certificate in the root module,
|
|
// because then it should have already matched our built-in list. This is
|
|
// here as a backstop to catch situations where a built-in root was added but
|
|
// the built-in telemetry information was not updated.
|
|
UniqueSECMODModule rootsModule(SECMOD_FindModule(kRootModuleName));
|
|
if (!rootsModule || rootsModule->slotCount != 1) {
|
|
return ROOT_CERTIFICATE_UNKNOWN;
|
|
}
|
|
CK_OBJECT_HANDLE builtinCertHandle =
|
|
PK11_FindEncodedCertInSlot(rootsModule->slots[0], &certItem, nullptr);
|
|
if (builtinCertHandle == CK_INVALID_HANDLE) {
|
|
return ROOT_CERTIFICATE_EXTERNAL_TOKEN;
|
|
}
|
|
|
|
// We have no idea what this is.
|
|
return ROOT_CERTIFICATE_UNKNOWN;
|
|
}
|
|
|
|
// Attempt to increment the appropriate bin in the provided Telemetry probe ID.
|
|
// If there was a hash failure, we do nothing.
|
|
void AccumulateTelemetryForRootCA(mozilla::Telemetry::HistogramID probe,
|
|
const Span<const uint8_t> cert) {
|
|
int32_t binId = RootCABinNumber(cert);
|
|
|
|
if (binId != ROOT_CERTIFICATE_HASH_FAILURE) {
|
|
Accumulate(probe, binId);
|
|
}
|
|
}
|
|
|
|
} // namespace psm
|
|
} // namespace mozilla
|