1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
|
/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
/* vim: set ts=8 sts=2 et sw=2 tw=80: */
/* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/. */
#include "QWACTrustDomain.h"
#include "mozpkix/pkixnss.h"
#include "mozpkix/pkixutil.h"
#include "qwac_trust_anchors/qwac_trust_anchors_ffi_generated.h"
using namespace mozilla::pkix;
namespace mozilla {
namespace psm {
QWACTrustDomain::QWACTrustDomain(
nsTArray<RefPtr<nsIX509Cert>>& collectedCerts) {
for (const auto& cert : collectedCerts) {
nsTArray<uint8_t> der;
if (NS_SUCCEEDED(cert->GetRawDER(der))) {
mIntermediates.AppendElement(std::move(der));
}
}
}
pkix::Result QWACTrustDomain::FindIssuer(Input encodedIssuerName,
IssuerChecker& checker, Time) {
nsTArray<Input> candidates;
nsTArray<uint8_t> subject(encodedIssuerName.UnsafeGetData(),
encodedIssuerName.GetLength());
nsTArray<nsTArray<uint8_t>> qwacTrustAnchors;
find_qwac_trust_anchors_by_subject(&subject, &qwacTrustAnchors);
for (const auto& trustAnchor : qwacTrustAnchors) {
Input trustAnchorInput;
pkix::Result rv =
trustAnchorInput.Init(trustAnchor.Elements(), trustAnchor.Length());
// This should never fail, since the possible trust anchors are all
// hard-coded and they should never be too long.
if (rv != Success) {
return rv;
}
candidates.AppendElement(std::move(trustAnchorInput));
}
for (const auto& intermediate : mIntermediates) {
Input intermediateInput;
pkix::Result rv =
intermediateInput.Init(intermediate.Elements(), intermediate.Length());
// These intermediates are from the TLS handshake and could be too long.
if (rv != Success) {
continue;
}
candidates.AppendElement(std::move(intermediateInput));
}
for (const auto& candidate : candidates) {
bool keepGoing;
pkix::Result rv = checker.Check(
candidate, nullptr /*additionalNameConstraints*/, keepGoing);
if (rv != Success) {
return rv;
}
if (!keepGoing) {
break;
}
}
return Success;
}
pkix::Result QWACTrustDomain::GetCertTrust(EndEntityOrCA endEntityOrCA,
const CertPolicyId& policy,
Input candidateCertDER,
/*out*/ TrustLevel& trustLevel) {
BackCert backCert(candidateCertDER, endEntityOrCA, nullptr);
Result rv = backCert.Init();
if (rv != Success) {
return rv;
}
Input subjectInput(backCert.GetSubject());
nsTArray<uint8_t> subject(subjectInput.UnsafeGetData(),
subjectInput.GetLength());
nsTArray<uint8_t> candidateCert(candidateCertDER.UnsafeGetData(),
candidateCertDER.GetLength());
if (is_qwac_trust_anchor(&subject, &candidateCert)) {
trustLevel = TrustLevel::TrustAnchor;
} else {
trustLevel = TrustLevel::InheritsTrust;
}
return Success;
}
pkix::Result QWACTrustDomain::DigestBuf(Input item, DigestAlgorithm digestAlg,
/*out*/ uint8_t* digestBuf,
size_t digestBufLen) {
return DigestBufNSS(item, digestAlg, digestBuf, digestBufLen);
}
pkix::Result QWACTrustDomain::CheckRevocation(EndEntityOrCA, const CertID&,
Time, Duration,
/*optional*/ const Input*,
/*optional*/ const Input*) {
return Success;
}
pkix::Result QWACTrustDomain::IsChainValid(const DERArray& certChain, Time time,
const CertPolicyId& requiredPolicy) {
return Success;
}
pkix::Result QWACTrustDomain::CheckSignatureDigestAlgorithm(
DigestAlgorithm digestAlg, EndEntityOrCA, Time) {
return Success;
}
pkix::Result QWACTrustDomain::CheckRSAPublicKeyModulusSizeInBits(
EndEntityOrCA /*endEntityOrCA*/, unsigned int modulusSizeInBits) {
return Success;
}
pkix::Result QWACTrustDomain::VerifyRSAPKCS1SignedData(
Input data, DigestAlgorithm digestAlgorithm, Input signature,
Input subjectPublicKeyInfo) {
return VerifyRSAPKCS1SignedDataNSS(data, digestAlgorithm, signature,
subjectPublicKeyInfo, nullptr);
}
pkix::Result QWACTrustDomain::VerifyRSAPSSSignedData(
Input data, DigestAlgorithm digestAlgorithm, Input signature,
Input subjectPublicKeyInfo) {
return VerifyRSAPSSSignedDataNSS(data, digestAlgorithm, signature,
subjectPublicKeyInfo, nullptr);
}
pkix::Result QWACTrustDomain::CheckECDSACurveIsAcceptable(
EndEntityOrCA /*endEntityOrCA*/, NamedCurve curve) {
return Success;
}
pkix::Result QWACTrustDomain::VerifyECDSASignedData(
Input data, DigestAlgorithm digestAlgorithm, Input signature,
Input subjectPublicKeyInfo) {
return VerifyECDSASignedDataNSS(data, digestAlgorithm, signature,
subjectPublicKeyInfo, nullptr);
}
pkix::Result QWACTrustDomain::CheckValidityIsAcceptable(
Time /*notBefore*/, Time /*notAfter*/, EndEntityOrCA /*endEntityOrCA*/,
KeyPurposeId /*keyPurpose*/) {
return Success;
}
void QWACTrustDomain::NoteAuxiliaryExtension(AuxiliaryExtension /*extension*/,
Input /*extensionData*/) {}
} // namespace psm
} // namespace mozilla
|
