File: RootCertificateTelemetryUtils.cpp

package info (click to toggle)
firefox 147.0.3-1
  • links: PTS, VCS
  • area: main
  • in suites: sid
  • size: 4,683,320 kB
  • sloc: cpp: 7,607,359; javascript: 6,533,295; ansic: 3,775,223; python: 1,415,500; xml: 634,561; asm: 438,949; java: 186,241; sh: 62,752; makefile: 18,079; objc: 13,092; perl: 12,808; yacc: 4,583; cs: 3,846; pascal: 3,448; lex: 1,720; ruby: 1,003; php: 436; lisp: 258; awk: 247; sql: 66; sed: 54; csh: 10; exp: 6
file content (127 lines) | stat: -rw-r--r-- 4,846 bytes parent folder | download | duplicates (2) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
 
/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
/* vim: set ts=8 sts=2 et sw=2 tw=80: */
/* This Source Code Form is subject to the terms of the Mozilla Public
 * License, v. 2.0. If a copy of the MPL was not distributed with this
 * file, You can obtain one at http://mozilla.org/MPL/2.0/. */

#include "RootCertificateTelemetryUtils.h"

#include "PKCS11ModuleDB.h"
#include "RootHashes.inc"  // Note: Generated by genRootCAHashes.js
#include "ScopedNSSTypes.h"
#include "mozilla/Logging.h"
#include "nsINSSComponent.h"
#include "nsServiceManagerUtils.h"
#include "pk11pub.h"

namespace mozilla {
namespace psm {

mozilla::LazyLogModule gPublicKeyPinningTelemetryLog(
    "PublicKeyPinningTelemetryService");

// Used in the BinarySearch method, this does a memcmp between the pointer
// provided to its construtor and whatever the binary search is looking for.
//
// This implementation assumes everything to be of HASH_LEN, so it should not
// be used generically.
class BinaryHashSearchArrayComparator {
 public:
  explicit BinaryHashSearchArrayComparator(const uint8_t* aTarget, size_t len)
      : mTarget(aTarget) {
    MOZ_ASSERT(len == HASH_LEN, "Hashes should be of the same length.");
  }

  int operator()(const CertAuthorityHash val) const {
    return memcmp(mTarget, val.hash, HASH_LEN);
  }

 private:
  const uint8_t* mTarget;
};

// Perform a hash of the provided cert, then search in the RootHashes.inc data
// structure for a matching bin number.
// If no matching root is found, this may be a CA from the softoken (cert9.db),
// it may be a CA from an external PKCS#11 token, or it may be a CA from OS
// storage (Enterprise Root).
// See also the constants in RootCertificateTelemetryUtils.h.
int32_t RootCABinNumber(Span<const uint8_t> cert) {
  nsTArray<uint8_t> digestArray;

  // Compute SHA256 hash of the certificate
  nsresult rv = Digest::DigestBuf(SEC_OID_SHA256, cert, digestArray);
  if (NS_WARN_IF(NS_FAILED(rv))) {
    return ROOT_CERTIFICATE_HASH_FAILURE;
  }

  // Compare against list of stored hashes
  size_t idx;

  MOZ_LOG(gPublicKeyPinningTelemetryLog, LogLevel::Debug,
          ("pkpinTelem: First bytes %02x %02x %02x %02x\n",
           digestArray.ElementAt(0), digestArray.ElementAt(1),
           digestArray.ElementAt(2), digestArray.ElementAt(3)));

  if (mozilla::BinarySearchIf(ROOT_TABLE, 0, std::size(ROOT_TABLE),
                              BinaryHashSearchArrayComparator(
                                  digestArray.Elements(), digestArray.Length()),
                              &idx)) {
    MOZ_LOG(gPublicKeyPinningTelemetryLog, LogLevel::Debug,
            ("pkpinTelem: Telemetry index was %zu, bin is %d\n", idx,
             ROOT_TABLE[idx].binNumber));
    return (int32_t)ROOT_TABLE[idx].binNumber;
  }

  // Didn't find this certificate in the built-in list. It may be an enterprise
  // root (gathered from the OS) or it may be from the softoken or an external
  // PKCS#11 token.
  nsCOMPtr<nsINSSComponent> component(do_GetService(PSM_COMPONENT_CONTRACTID));
  if (!component) {
    return ROOT_CERTIFICATE_UNKNOWN;
  }
  nsTArray<nsTArray<uint8_t>> enterpriseRoots;
  rv = component->GetEnterpriseRoots(enterpriseRoots);
  if (NS_FAILED(rv)) {
    return ROOT_CERTIFICATE_UNKNOWN;
  }
  for (const auto& enterpriseRoot : enterpriseRoots) {
    if (enterpriseRoot.Length() == cert.size() &&
        memcmp(enterpriseRoot.Elements(), cert.data(),
               enterpriseRoot.Length()) == 0) {
      return ROOT_CERTIFICATE_ENTERPRISE_ROOT;
    }
  }

  SECItem certItem = {siBuffer, const_cast<uint8_t*>(cert.data()),
                      static_cast<unsigned int>(cert.size())};
  UniquePK11SlotInfo softokenSlot(PK11_GetInternalKeySlot());
  if (!softokenSlot) {
    return ROOT_CERTIFICATE_UNKNOWN;
  }
  CK_OBJECT_HANDLE softokenCertHandle =
      PK11_FindEncodedCertInSlot(softokenSlot.get(), &certItem, nullptr);
  if (softokenCertHandle != CK_INVALID_HANDLE) {
    return ROOT_CERTIFICATE_SOFTOKEN;
  }
  // In theory this should never find the certificate in the root module,
  // because then it should have already matched our built-in list. This is
  // here as a backstop to catch situations where a built-in root was added but
  // the built-in telemetry information was not updated.
  UniqueSECMODModule rootsModule(SECMOD_FindModule(kRootModuleName.get()));
  AutoSECMODListReadLock secmodLock;
  if (!rootsModule || rootsModule->slotCount != 1) {
    return ROOT_CERTIFICATE_UNKNOWN;
  }
  CK_OBJECT_HANDLE builtinCertHandle =
      PK11_FindEncodedCertInSlot(rootsModule->slots[0], &certItem, nullptr);
  if (builtinCertHandle == CK_INVALID_HANDLE) {
    return ROOT_CERTIFICATE_EXTERNAL_TOKEN;
  }

  // We have no idea what this is.
  return ROOT_CERTIFICATE_UNKNOWN;
}

}  // namespace psm
}  // namespace mozilla