DXR is a code search and navigation tool aimed at making sense of large projects. It supports full-text and regex searches as well as structural queries.

Header

Mercurial (47d7c18620c8)

VCS Links

Line Code
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126
/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
/* vim: set ts=8 sts=2 et sw=2 tw=80: */
/* This Source Code Form is subject to the terms of the Mozilla Public
 * License, v. 2.0. If a copy of the MPL was not distributed with this
 * file, You can obtain one at http://mozilla.org/MPL/2.0/. */

#include "RootCertificateTelemetryUtils.h"

#include "RootHashes.inc"  // Note: Generated by genRootCAHashes.js
#include "ScopedNSSTypes.h"
#include "mozilla/ArrayUtils.h"
#include "mozilla/Logging.h"
#include "nsINSSComponent.h"
#include "nsNSSCertHelper.h"

namespace mozilla {
namespace psm {

mozilla::LazyLogModule gPublicKeyPinningTelemetryLog(
    "PublicKeyPinningTelemetryService");

// Used in the BinarySearch method, this does a memcmp between the pointer
// provided to its construtor and whatever the binary search is looking for.
//
// This implementation assumes everything to be of HASH_LEN, so it should not
// be used generically.
class BinaryHashSearchArrayComparator {
 public:
  explicit BinaryHashSearchArrayComparator(const uint8_t* aTarget, size_t len)
      : mTarget(aTarget) {
    MOZ_ASSERT(len == HASH_LEN, "Hashes should be of the same length.");
  }

  int operator()(const CertAuthorityHash val) const {
    return memcmp(mTarget, val.hash, HASH_LEN);
  }

 private:
  const uint8_t* mTarget;
};

// Perform a hash of the provided cert, then search in the RootHashes.inc data
// structure for a matching bin number.
// If no matching root is found, this may be a CA from the softoken (cert9.db),
// it may be a CA from an external PKCS#11 token, or it may be a CA from OS
// storage (Enterprise Root). The slot argument is used to attempt to determine
// this. See also the constants in RootCertificateTelemetryUtils.h.
int32_t RootCABinNumber(const SECItem* cert, PK11SlotInfo* slot) {
  Digest digest;

  // Compute SHA256 hash of the certificate
  nsresult rv = digest.DigestBuf(SEC_OID_SHA256, cert->data, cert->len);
  if (NS_WARN_IF(NS_FAILED(rv))) {
    return ROOT_CERTIFICATE_HASH_FAILURE;
  }

  // Compare against list of stored hashes
  size_t idx;

  MOZ_LOG(
      gPublicKeyPinningTelemetryLog, LogLevel::Debug,
      ("pkpinTelem: First bytes %02x %02x %02x %02x\n", digest.get().data[0],
       digest.get().data[1], digest.get().data[2], digest.get().data[3]));

  if (mozilla::BinarySearchIf(
          ROOT_TABLE, 0, ArrayLength(ROOT_TABLE),
          BinaryHashSearchArrayComparator(
              static_cast<uint8_t*>(digest.get().data), digest.get().len),
          &idx)) {
    MOZ_LOG(gPublicKeyPinningTelemetryLog, LogLevel::Debug,
            ("pkpinTelem: Telemetry index was %zu, bin is %d\n", idx,
             ROOT_TABLE[idx].binNumber));
    return (int32_t)ROOT_TABLE[idx].binNumber;
  }

  // Didn't match. It may be from the softoken, an external PKCS#11 token, or
  // imported from the OS as an "Enterprise Root".
  UniquePK11SlotInfo softokenSlot(PK11_GetInternalKeySlot());
  if (!softokenSlot) {
    return ROOT_CERTIFICATE_UNKNOWN;
  }
  if (slot == softokenSlot.get()) {
    return ROOT_CERTIFICATE_SOFTOKEN;
  }
  UniquePK11SlotInfo nssInternalSlot(PK11_GetInternalSlot());
  UniqueSECMODModule rootsModule(SECMOD_FindModule(kRootModuleName));
  if (!rootsModule || rootsModule->slotCount != 1) {
    return ROOT_CERTIFICATE_UNKNOWN;
  }
  if (slot && slot != nssInternalSlot.get() && slot != rootsModule->slots[0]) {
    return ROOT_CERTIFICATE_EXTERNAL_TOKEN;
  }
  nsCOMPtr<nsINSSComponent> component(do_GetService(PSM_COMPONENT_CONTRACTID));
  if (!component) {
    return ROOT_CERTIFICATE_UNKNOWN;
  }
  nsTArray<nsTArray<uint8_t>> enterpriseRoots;
  rv = component->GetEnterpriseRoots(enterpriseRoots);
  if (NS_FAILED(rv)) {
    return ROOT_CERTIFICATE_UNKNOWN;
  }
  for (const auto& enterpriseRoot : enterpriseRoots) {
    if (enterpriseRoot.Length() == cert->len &&
        memcmp(enterpriseRoot.Elements(), cert->data,
               enterpriseRoot.Length()) == 0) {
      return ROOT_CERTIFICATE_ENTERPRISE_ROOT;
    }
  }

  // We have no idea what this is.
  return ROOT_CERTIFICATE_UNKNOWN;
}

// Attempt to increment the appropriate bin in the provided Telemetry probe ID.
// If there was a hash failure, we do nothing.
void AccumulateTelemetryForRootCA(mozilla::Telemetry::HistogramID probe,
                                  const CERTCertificate* cert) {
  int32_t binId = RootCABinNumber(&cert->derCert, cert->slot);

  if (binId != ROOT_CERTIFICATE_HASH_FAILURE) {
    Accumulate(probe, binId);
  }
}

}  // namespace psm
}  // namespace mozilla