Result
IsCertChainRootBuiltInRoot(CERTCertList* chain, bool& result)
{
if (!chain || CERT_LIST_EMPTY(chain)) {
return Result::FATAL_ERROR_LIBRARY_FAILURE;
}
CERTCertListNode* rootNode = CERT_LIST_TAIL(chain);
if (!rootNode) {
return Result::FATAL_ERROR_LIBRARY_FAILURE;
}
CERTCertificate* root = rootNode->cert;
if (!root) {
return Result::FATAL_ERROR_LIBRARY_FAILURE;
}
return IsCertBuiltInRoot(root, result);
}
Result
CertListContainsExpectedKeys(const CERTCertList* certList,
const char* hostname, Time time,
CertVerifier::PinningMode pinningMode)
{
if (pinningMode == CertVerifier::pinningDisabled) {
PR_LOG(gCertVerifierLog, PR_LOG_DEBUG,
("Pinning is disabled; not checking keys."));
return Success;
}
if (!certList) {
return Result::FATAL_ERROR_INVALID_ARGS;
}
CERTCertListNode* rootNode = CERT_LIST_TAIL(certList);
if (CERT_LIST_END(rootNode, certList)) {
return Result::FATAL_ERROR_INVALID_ARGS;
}
bool isBuiltInRoot = false;
SECStatus srv = IsCertBuiltInRoot(rootNode->cert, isBuiltInRoot);
if (srv != SECSuccess) {
return MapPRErrorCodeToResult(PR_GetError());
}
// If desired, the user can enable "allow user CA MITM mode", in which
// case key pinning is not enforced for certificates that chain to trust
// anchors that are not in Mozilla's root program
if (!isBuiltInRoot && pinningMode == CertVerifier::pinningAllowUserCAMITM) {
return Success;
}
bool enforceTestMode = (pinningMode == CertVerifier::pinningEnforceTestMode);
if (PublicKeyPinningService::ChainHasValidPins(certList, hostname, time,
enforceTestMode)) {
return Success;
}
return Result::ERROR_KEY_PINNING_FAILURE;
}
SECStatus chainValidationCallback(void* state, const CERTCertList* certList,
PRBool* chainOK)
{
ChainValidationCallbackState* callbackState =
reinterpret_cast<ChainValidationCallbackState*>(state);
*chainOK = PR_FALSE;
PR_LOG(gCertVerifierLog, PR_LOG_DEBUG,
("verifycert: Inside the Callback \n"));
// On sanity failure we fail closed.
if (!certList) {
PR_LOG(gCertVerifierLog, PR_LOG_DEBUG,
("verifycert: Short circuit, callback, sanity check failed \n"));
PR_SetError(PR_INVALID_STATE_ERROR, 0);
return SECFailure;
}
if (!callbackState) {
PR_LOG(gCertVerifierLog, PR_LOG_DEBUG,
("verifycert: Short circuit, callback, no state! \n"));
PR_SetError(PR_INVALID_STATE_ERROR, 0);
return SECFailure;
}
if (callbackState->usage != certificateUsageSSLServer ||
callbackState->pinningEnforcementLevel == CertVerifier::pinningDisabled) {
PR_LOG(gCertVerifierLog, PR_LOG_DEBUG,
("verifycert: Callback shortcut pel=%d \n",
callbackState->pinningEnforcementLevel));
*chainOK = PR_TRUE;
return SECSuccess;
}
for (CERTCertListNode* node = CERT_LIST_HEAD(certList);
!CERT_LIST_END(node, certList);
node = CERT_LIST_NEXT(node)) {
CERTCertificate* currentCert = node->cert;
if (CERT_LIST_END(CERT_LIST_NEXT(node), certList)) {
bool isBuiltInRoot = false;
SECStatus srv = IsCertBuiltInRoot(currentCert, isBuiltInRoot);
if (srv != SECSuccess) {
PR_LOG(gCertVerifierLog, PR_LOG_DEBUG, ("Is BuiltInRoot failure"));
return srv;
}
// If desired, the user can enable "allow user CA MITM mode", in which
// case key pinning is not enforced for certificates that chain to trust
// anchors that are not in Mozilla's root program
if (!isBuiltInRoot &&
(callbackState->pinningEnforcementLevel ==
CertVerifier::pinningAllowUserCAMITM)) {
*chainOK = PR_TRUE;
return SECSuccess;
}
}
}
bool enforceTestMode = (callbackState->pinningEnforcementLevel ==
CertVerifier::pinningEnforceTestMode);
*chainOK = PublicKeyPinningService::
ChainHasValidPins(certList, callbackState->hostname, callbackState->time,
enforceTestMode);
return SECSuccess;
}
