Source code

Revision control

Copy as Markdown

Other Tools

/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
/* vim: set sw=2 ts=8 et tw=80 : */
/* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/. */
#include "VerifySSLServerCertChild.h"
#include "CertVerifier.h"
#include "mozilla/ipc/Endpoint.h"
#include "mozilla/net/SocketProcessBackgroundChild.h"
#include "mozilla/psm/PVerifySSLServerCertParent.h"
#include "mozilla/psm/PVerifySSLServerCertChild.h"
#include "nsNSSIOLayer.h"
#include "nsSerializationHelper.h"
#include "secerr.h"
extern mozilla::LazyLogModule gPIPNSSLog;
namespace mozilla {
namespace psm {
VerifySSLServerCertChild::VerifySSLServerCertChild(
SSLServerCertVerificationResult* aResultTask,
nsTArray<nsTArray<uint8_t>>&& aPeerCertChain, uint32_t aProviderFlags)
: mResultTask(aResultTask),
mPeerCertChain(std::move(aPeerCertChain)),
mProviderFlags(aProviderFlags) {}
ipc::IPCResult VerifySSLServerCertChild::RecvOnVerifySSLServerCertFinished(
nsTArray<ByteArray>&& aBuiltCertChain,
const uint16_t& aCertTransparencyStatus, const EVStatus& aEVStatus,
const bool& aSucceeded, int32_t aFinalError,
const nsITransportSecurityInfo::OverridableErrorCategory&
aOverridableErrorCategory,
const bool& aIsBuiltCertChainRootBuiltInRoot,
const bool& aMadeOCSPRequests) {
MOZ_LOG(gPIPNSSLog, LogLevel::Debug,
("[%p] VerifySSLServerCertChild::RecvOnVerifySSLServerCertFinished",
this));
nsTArray<nsTArray<uint8_t>> certBytesArray;
for (auto& cert : aBuiltCertChain) {
certBytesArray.AppendElement(std::move(cert.data()));
}
nsresult rv = mResultTask->Dispatch(
std::move(certBytesArray), std::move(mPeerCertChain),
aCertTransparencyStatus, aEVStatus, aSucceeded, aFinalError,
aOverridableErrorCategory, aIsBuiltCertChainRootBuiltInRoot,
mProviderFlags, aMadeOCSPRequests);
if (NS_FAILED(rv)) {
// We can't release this off the STS thread because some parts of it are
// not threadsafe. Just leak mResultTask.
Unused << mResultTask.forget();
}
return IPC_OK();
}
SECStatus RemoteProcessCertVerification(
nsTArray<nsTArray<uint8_t>>&& aPeerCertChain, const nsACString& aHostName,
int32_t aPort, const OriginAttributes& aOriginAttributes,
Maybe<nsTArray<uint8_t>>& aStapledOCSPResponse,
Maybe<nsTArray<uint8_t>>& aSctsFromTLSExtension,
Maybe<DelegatedCredentialInfo>& aDcInfo, uint32_t aProviderFlags,
uint32_t aCertVerifierFlags, SSLServerCertVerificationResult* aResultTask) {
if (!aResultTask) {
PR_SetError(SEC_ERROR_INVALID_ARGS, 0);
return SECFailure;
}
nsTArray<ByteArray> peerCertBytes;
for (auto& certBytes : aPeerCertChain) {
peerCertBytes.AppendElement(ByteArray(certBytes));
}
Maybe<ByteArray> stapledOCSPResponse;
if (aStapledOCSPResponse) {
stapledOCSPResponse.emplace();
stapledOCSPResponse->data().Assign(*aStapledOCSPResponse);
}
Maybe<ByteArray> sctsFromTLSExtension;
if (aSctsFromTLSExtension) {
sctsFromTLSExtension.emplace();
sctsFromTLSExtension->data().Assign(*aSctsFromTLSExtension);
}
Maybe<DelegatedCredentialInfoArg> dcInfo;
if (aDcInfo) {
dcInfo.emplace();
dcInfo.ref().scheme() = static_cast<uint32_t>(aDcInfo->scheme);
dcInfo.ref().authKeyBits() = static_cast<uint32_t>(aDcInfo->authKeyBits);
}
ipc::Endpoint<PVerifySSLServerCertParent> parentEndpoint;
ipc::Endpoint<PVerifySSLServerCertChild> childEndpoint;
PVerifySSLServerCert::CreateEndpoints(&parentEndpoint, &childEndpoint);
// Create a dedicated nsCString, so that our lambda below can take an
// ownership stake in the underlying string buffer:
nsCString hostName(aHostName);
if (NS_FAILED(net::SocketProcessBackgroundChild::WithActor(
"SendInitVerifySSLServerCert",
[endpoint = std::move(parentEndpoint),
peerCertBytes = std::move(peerCertBytes),
hostName = std::move(hostName), port(aPort),
originAttributes(aOriginAttributes),
stapledOCSPResponse = std::move(stapledOCSPResponse),
sctsFromTLSExtension = std::move(sctsFromTLSExtension),
dcInfo = std::move(dcInfo), providerFlags(aProviderFlags),
certVerifierFlags(aCertVerifierFlags)](
net::SocketProcessBackgroundChild* aActor) mutable {
Unused << aActor->SendInitVerifySSLServerCert(
std::move(endpoint), peerCertBytes, hostName, port,
originAttributes, stapledOCSPResponse, sctsFromTLSExtension,
dcInfo, providerFlags, certVerifierFlags);
}))) {
PR_SetError(SEC_ERROR_LIBRARY_FAILURE, 0);
return SECFailure;
}
RefPtr<VerifySSLServerCertChild> authCert = new VerifySSLServerCertChild(
aResultTask, std::move(aPeerCertChain), aProviderFlags);
if (!childEndpoint.Bind(authCert)) {
PR_SetError(SEC_ERROR_LIBRARY_FAILURE, 0);
return SECFailure;
}
PR_SetError(PR_WOULD_BLOCK_ERROR, 0);
return SECWouldBlock;
}
} // namespace psm
} // namespace mozilla