Google Git
Sign in
android / platform / external / cronet / 181bb755f589c53bd3e47be5f2a1883b9c33a562 / . / net / cert / internal / trust_store_nss.cc
blob: dab68a63e44871e5bf224440f5cf28945e8d44a4 [file] [log] [blame]
// Copyright 2016 The Chromium Authors
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
#include "net/cert/internal/trust_store_nss.h"
#include <cert.h>
#include <certdb.h>
#include <certt.h>
#include <pk11pub.h>
#include <pkcs11n.h>
#include <pkcs11t.h>
#include <seccomon.h>
#include <secmod.h>
#include <secmodt.h>
#include "base/hash/sha1.h"
#include "base/logging.h"
#include "base/notreached.h"
#include "base/strings/string_number_conversions.h"
#include "build/chromeos_buildflags.h"
#include "crypto/chaps_support.h"
#include "crypto/nss_util.h"
#include "crypto/nss_util_internal.h"
#include "crypto/scoped_nss_types.h"
#include "net/base/features.h"
#include "net/cert/internal/trust_store_features.h"
#include "net/cert/scoped_nss_types.h"
#include "net/cert/x509_util.h"
#include "net/cert/x509_util_nss.h"
#include "third_party/boringssl/src/pki/cert_errors.h"
#include "third_party/boringssl/src/pki/parsed_certificate.h"
#include "third_party/boringssl/src/pki/trust_store.h"
#if BUILDFLAG(IS_CHROMEOS) && BUILDFLAG(IS_CHROMEOS_DEVICE)
// TODO(crbug.com/1482000): We can remove these weak attributes in M123 or
// later. Until then, these need to be declared with the weak attribute
// since older platforms may not provide these symbols.
extern "C" CERTCertList* CERT_CreateSubjectCertListForChromium(
CERTCertList* certList,
CERTCertDBHandle* handle,
const SECItem* name,
PRTime sorttime,
PRBool validOnly,
PRBool ignoreChaps) __attribute__((weak));
extern "C" CERTCertificate* CERT_FindCertByDERCertForChromium(
CERTCertDBHandle* handle,
SECItem* derCert,
PRBool ignoreChaps) __attribute__((weak));
#endif // BUILDFLAG(IS_CHROMEOS) && BUILDFLAG(IS_CHROMEOS_DEVICE)
namespace net {
namespace {
struct FreePK11GenericObjects {
void operator()(PK11GenericObject* x) const {
if (x) {
PK11_DestroyGenericObjects(x);
}
}
};
using ScopedPK11GenericObjects =
std::unique_ptr<PK11GenericObject, FreePK11GenericObjects>;
// Get the list of all slots `nss_cert` is present in, along with the object
// handle of the cert in each of those slots.
//
// (Note that there is a PK11_GetAllSlotsForCert function that *seems* like it
// would be useful here, however it does not actually return all relevant
// slots.)
std::vector<std::pair<crypto::ScopedPK11Slot, CK_OBJECT_HANDLE>>
GetAllSlotsAndHandlesForCert(CERTCertificate* nss_cert,
bool ignore_chaps_module) {
std::vector<std::pair<crypto::ScopedPK11Slot, CK_OBJECT_HANDLE>> r;
crypto::AutoSECMODListReadLock lock_id;
for (const SECMODModuleList* item = SECMOD_GetDefaultModuleList();
item != nullptr; item = item->next) {
#if BUILDFLAG(IS_CHROMEOS)
if (ignore_chaps_module && crypto::IsChapsModule(item->module)) {
// This check avoids unnecessary IPCs between NSS and Chaps.
continue;
}
#endif // BUILDFLAG(IS_CHROMEOS)
for (int i = 0; i < item->module->slotCount; ++i) {
PK11SlotInfo* slot = item->module->slots[i];
if (PK11_IsPresent(slot)) {
CK_OBJECT_HANDLE handle = PK11_FindCertInSlot(slot, nss_cert, nullptr);
if (handle != CK_INVALID_HANDLE) {
r.emplace_back(PK11_ReferenceSlot(slot), handle);
}
}
}
}
return r;
}
bool IsMozillaCaPolicyProvided(PK11SlotInfo* slot,
CK_OBJECT_HANDLE cert_handle) {
return PK11_HasRootCerts(slot) &&
PK11_HasAttributeSet(slot, cert_handle, CKA_NSS_MOZILLA_CA_POLICY,
/*haslock=*/PR_FALSE) == CK_TRUE;
}
bool IsCertOnlyInNSSRoots(CERTCertificate* cert) {
// In this path, `cert` could be a client certificate, so we should not skip
// the chaps module.
std::vector<std::pair<crypto::ScopedPK11Slot, CK_OBJECT_HANDLE>>
slots_and_handles_for_cert =
GetAllSlotsAndHandlesForCert(cert, /*ignore_chaps_module=*/false);
for (const auto& [slot, handle] : slots_and_handles_for_cert) {
if (IsMozillaCaPolicyProvided(slot.get(), handle)) {
// Cert is an NSS root. Continue looking to see if it also is present in
// another slot.
continue;
}
// Found cert in a non-NSS roots slot.
return false;
}
// Cert was only found in NSS roots (or was not in any slots, but that
// shouldn't happen.)
return true;
}
} // namespace
TrustStoreNSS::ListCertsResult::ListCertsResult(ScopedCERTCertificate cert,
bssl::CertificateTrust trust)
: cert(std::move(cert)), trust(trust) {}
TrustStoreNSS::ListCertsResult::~ListCertsResult() = default;
TrustStoreNSS::ListCertsResult::ListCertsResult(ListCertsResult&& other) =
default;
TrustStoreNSS::ListCertsResult& TrustStoreNSS::ListCertsResult::operator=(
ListCertsResult&& other) = default;
TrustStoreNSS::TrustStoreNSS(UserSlotTrustSetting user_slot_trust_setting)
: user_slot_trust_setting_(std::move(user_slot_trust_setting)) {
#if BUILDFLAG(IS_CHROMEOS) && BUILDFLAG(IS_CHROMEOS_DEVICE)
if (!CERT_CreateSubjectCertListForChromium) {
LOG(WARNING) << "CERT_CreateSubjectCertListForChromium is not available";
}
if (!CERT_FindCertByDERCertForChromium) {
LOG(WARNING) << "CERT_FindCertByDERCertForChromium is not available";
}
#endif // BUILDFLAG(IS_CHROMEOS) && BUILDFLAG(IS_CHROMEOS_DEVICE)
}
TrustStoreNSS::~TrustStoreNSS() = default;
void TrustStoreNSS::SyncGetIssuersOf(const bssl::ParsedCertificate* cert,
bssl::ParsedCertificateList* issuers) {
crypto::EnsureNSSInit();
SECItem name;
// Use the original issuer value instead of the normalized version. NSS does a
// less extensive normalization in its Name comparisons, so our normalized
// version may not match the unnormalized version.
name.len = cert->tbs().issuer_tlv.Length();
name.data = const_cast<uint8_t*>(cert->tbs().issuer_tlv.UnsafeData());
// |validOnly| in CERT_CreateSubjectCertList controls whether to return only
// certs that are valid at |sorttime|. Expiration isn't meaningful for trust
// anchors, so request all the matches.
#if !BUILDFLAG(IS_CHROMEOS) || !BUILDFLAG(IS_CHROMEOS_DEVICE)
crypto::ScopedCERTCertList found_certs(CERT_CreateSubjectCertList(
nullptr /* certList */, CERT_GetDefaultCertDB(), &name,
PR_Now() /* sorttime */, PR_FALSE /* validOnly */));
#else
crypto::ScopedCERTCertList found_certs;
if (CERT_CreateSubjectCertListForChromium) {
found_certs =
crypto::ScopedCERTCertList(CERT_CreateSubjectCertListForChromium(
nullptr /* certList */, CERT_GetDefaultCertDB(), &name,
PR_Now() /* sorttime */, PR_FALSE /* validOnly */,
PR_TRUE /* ignoreChaps */));
} else {
found_certs = crypto::ScopedCERTCertList(CERT_CreateSubjectCertList(
nullptr /* certList */, CERT_GetDefaultCertDB(), &name,
PR_Now() /* sorttime */, PR_FALSE /* validOnly */));
}
#endif // !BUILDFLAG(IS_CHROMEOS) || !BUILDFLAG(IS_CHROMEOS_DEVICE)
if (!found_certs) {
return;
}
for (CERTCertListNode* node = CERT_LIST_HEAD(found_certs);
!CERT_LIST_END(node, found_certs); node = CERT_LIST_NEXT(node)) {
bssl::CertErrors parse_errors;
std::shared_ptr<const bssl::ParsedCertificate> cur_cert =
bssl::ParsedCertificate::Create(
x509_util::CreateCryptoBuffer(base::make_span(
node->cert->derCert.data, node->cert->derCert.len)),
{}, &parse_errors);
if (!cur_cert) {
// TODO(crbug.com/634443): return errors better.
LOG(ERROR) << "Error parsing issuer certificate:\n"
<< parse_errors.ToDebugString();
continue;
}
issuers->push_back(std::move(cur_cert));
}
}
std::vector<TrustStoreNSS::ListCertsResult>
TrustStoreNSS::ListCertsIgnoringNSSRoots() {
std::vector<TrustStoreNSS::ListCertsResult> results;
crypto::ScopedCERTCertList cert_list;
if (absl::holds_alternative<crypto::ScopedPK11Slot>(
user_slot_trust_setting_)) {
if (absl::get<crypto::ScopedPK11Slot>(user_slot_trust_setting_) ==
nullptr) {
return results;
}
cert_list.reset(PK11_ListCertsInSlot(
absl::get<crypto::ScopedPK11Slot>(user_slot_trust_setting_).get()));
} else {
cert_list.reset(PK11_ListCerts(PK11CertListUnique, nullptr));
}
// PK11_ListCerts[InSlot] can return nullptr, e.g. because the PKCS#11 token
// that was backing the specified slot is not available anymore.
// Treat it as no certificates being present on the slot.
if (!cert_list) {
LOG(WARNING) << (absl::holds_alternative<crypto::ScopedPK11Slot>(
user_slot_trust_setting_)
? "PK11_ListCertsInSlot"
: "PK11_ListCerts")
<< " returned null";
return results;
}
CERTCertListNode* node;
for (node = CERT_LIST_HEAD(cert_list); !CERT_LIST_END(node, cert_list);
node = CERT_LIST_NEXT(node)) {
if (IsCertOnlyInNSSRoots(node->cert)) {
continue;
}
results.emplace_back(x509_util::DupCERTCertificate(node->cert),
GetTrustIgnoringSystemTrust(node->cert));
}
return results;
}
// TODO(https://crbug.com/1340420): add histograms? (how often hits fast vs
// medium vs slow path, timing of fast/medium/slow path/all, etc?)
// TODO(https://crbug.com/1340420): NSS also seemingly has some magical
// trusting of any self-signed cert with CKA_ID=0, if it doesn't have a
// matching trust object. Do we need to do that too? (this pk11_isID0 thing:
// https://searchfox.org/nss/source/lib/pk11wrap/pk11cert.c#357)
bssl::CertificateTrust TrustStoreNSS::GetTrust(
const bssl::ParsedCertificate* cert) {
crypto::EnsureNSSInit();
// If trust settings are only being used from a specified slot, and that slot
// is nullptr, there's nothing to do. This corresponds to the case where we
// wanted to get the builtin roots from NSS still but not user-added roots.
// Since the built-in roots are now coming from Chrome Root Store in this
// case, there is nothing to do here.
//
// (This ignores slots that would have been allowed by the "read-only
// internal slots" part of IsCertAllowedForTrust, I don't think that actually
// matters though.)
//
// TODO(https://crbug.com/1412591): once the non-CRS paths have been removed,
// perhaps remove this entirely and just have the caller not create a
// TrustStoreNSS at all in this case (or does it still need the
// SyncGetIssuersOf to find NSS temp certs in that case?)
if (absl::holds_alternative<crypto::ScopedPK11Slot>(
user_slot_trust_setting_) &&
absl::get<crypto::ScopedPK11Slot>(user_slot_trust_setting_) == nullptr) {
return bssl::CertificateTrust::ForUnspecified();
}
SECItem der_cert;
der_cert.data = const_cast<uint8_t*>(cert->der_cert().UnsafeData());
der_cert.len = base::checked_cast<unsigned>(cert->der_cert().Length());
der_cert.type = siDERCertBuffer;
// Find a matching NSS certificate object, if any. Note that NSS trust
// objects can also be keyed on issuer+serial and match any such cert. This
// is only used for distrust and apparently only in the NSS builtin roots
// certs module. Therefore, it should be safe to use the more efficient
// CERT_FindCertByDERCert to avoid having to have NSS parse the certificate
// and create a structure for it if the cert doesn't already exist in any of
// the loaded NSS databases.
#if !BUILDFLAG(IS_CHROMEOS) || !BUILDFLAG(IS_CHROMEOS_DEVICE)
ScopedCERTCertificate nss_cert(
CERT_FindCertByDERCert(CERT_GetDefaultCertDB(), &der_cert));
#else
ScopedCERTCertificate nss_cert;
if (CERT_FindCertByDERCertForChromium) {
nss_cert = ScopedCERTCertificate(CERT_FindCertByDERCertForChromium(
CERT_GetDefaultCertDB(), &der_cert, /*ignoreChaps=*/PR_TRUE));
} else {
nss_cert = ScopedCERTCertificate(
CERT_FindCertByDERCert(CERT_GetDefaultCertDB(), &der_cert));
}
#endif // !BUILDFLAG(IS_CHROMEOS) || !BUILDFLAG(IS_CHROMEOS_DEVICE)
if (!nss_cert) {
DVLOG(1) << "skipped cert that has no CERTCertificate already";
return bssl::CertificateTrust::ForUnspecified();
}
return GetTrustIgnoringSystemTrust(nss_cert.get());
}
bssl::CertificateTrust TrustStoreNSS::GetTrustIgnoringSystemTrust(
CERTCertificate* nss_cert) const {
// See if NSS has any trust settings for the certificate at all. If not,
// there is no point in doing further work.
CERTCertTrust nss_cert_trust;
if (CERT_GetCertTrust(nss_cert, &nss_cert_trust) != SECSuccess) {
DVLOG(1) << "skipped cert that has no trust settings";
return bssl::CertificateTrust::ForUnspecified();
}
// If there were trust settings, we may not be able to use the NSS calculated
// trust settings directly, since we don't know which slot those settings
// came from. Do a more careful check to only honor trust settings from slots
// we care about.
// We expect that CERT_GetCertTrust() != SECSuccess for client certs stored in
// Chaps. So, `nss_cert` should be a CA certificate and should not be stored
// in Chaps. Thus, we don't scan the chaps module in the following call for
// performance reasons.
std::vector<std::pair<crypto::ScopedPK11Slot, CK_OBJECT_HANDLE>>
slots_and_handles_for_cert =
GetAllSlotsAndHandlesForCert(nss_cert, /*ignore_chaps_module=*/true);
// Generally this shouldn't happen, though it is possible (ex, a builtin
// distrust record with no matching cert in the builtin trust store could
// match a NSS temporary cert that doesn't exist in any slot. Ignoring that
// is okay. Theoretically there maybe could be trust records with no matching
// cert in user slots? I don't know how that can actually happen though.)
if (slots_and_handles_for_cert.empty()) {
DVLOG(1) << "skipped cert that has no slots";
return bssl::CertificateTrust::ForUnspecified();
}
// List of trustOrder, slot pairs.
std::vector<std::pair<int, PK11SlotInfo*>> slots_to_check;
for (const auto& [slotref, handle] : slots_and_handles_for_cert) {
PK11SlotInfo* slot = slotref.get();
DVLOG(1) << "found cert in slot:" << PK11_GetSlotName(slot)
<< " token:" << PK11_GetTokenName(slot)
<< " module trustOrder: " << PK11_GetModule(slot)->trustOrder;
if (absl::holds_alternative<crypto::ScopedPK11Slot>(
user_slot_trust_setting_) &&
slot !=
absl::get<crypto::ScopedPK11Slot>(user_slot_trust_setting_).get()) {
DVLOG(1) << "skipping slot " << PK11_GetSlotName(slot)
<< ", it's not user_slot_trust_setting_";
continue;
}
if (IsMozillaCaPolicyProvided(slot, handle)) {
DVLOG(1) << "skipping slot " << PK11_GetSlotName(slot)
<< ", this is mozilla ca policy provided";
continue;
}
int trust_order = PK11_GetModule(slot)->trustOrder;
slots_to_check.emplace_back(trust_order, slot);
}
if (slots_to_check.size() == slots_and_handles_for_cert.size()) {
DVLOG(1) << "cert is only in allowed slots, using NSS calculated trust";
return GetTrustForNSSTrust(nss_cert_trust);
}
if (slots_to_check.empty()) {
DVLOG(1) << "cert is only in disallowed slots, skipping";
return bssl::CertificateTrust::ForUnspecified();
}
DVLOG(1) << "cert is in both allowed and disallowed slots, doing manual "
"trust calculation";
// Use PK11_FindGenericObjects + PK11_ReadRawAttribute to calculate the trust
// using only the slots we care about. (Some example code:
// https://searchfox.org/nss/source/gtests/pk11_gtest/pk11_import_unittest.cc#131)
//
// TODO(https://crbug.com/1340420): consider adding caching here if metrics
// show a need. If caching is added, note that NSS has no change notification
// APIs so we'd at least want to listen for CertDatabase notifications to
// clear the cache. (There are multiple approaches possible, could cache the
// hash->trust mappings on a per-slot basis, or just cache the end result for
// each cert, etc.)
base::SHA1Digest cert_sha1 = base::SHA1HashSpan(
base::make_span(nss_cert->derCert.data, nss_cert->derCert.len));
// Check the slots in trustOrder ordering. Lower trustOrder values are higher
// priority, so we can return as soon as we find a matching trust object.
std::sort(slots_to_check.begin(), slots_to_check.end());
for (const auto& [_, slot] : slots_to_check) {
DVLOG(1) << "looking for trust in slot " << PK11_GetSlotName(slot)
<< " token " << PK11_GetTokenName(slot);
ScopedPK11GenericObjects objs(PK11_FindGenericObjects(slot, CKO_NSS_TRUST));
if (!objs) {
DVLOG(1) << "no trust objects in slot";
continue;
}
for (PK11GenericObject* obj = objs.get(); obj != nullptr;
obj = PK11_GetNextGenericObject(obj)) {
crypto::ScopedSECItem sha1_hash_attr(SECITEM_AllocItem(/*arena=*/nullptr,
/*item=*/nullptr,
/*len=*/0));
SECStatus rv = PK11_ReadRawAttribute(
PK11_TypeGeneric, obj, CKA_CERT_SHA1_HASH, sha1_hash_attr.get());
if (rv != SECSuccess) {
DVLOG(1) << "trust object has no CKA_CERT_SHA1_HASH attr";
continue;
}
base::span<const uint8_t> trust_obj_sha1 = base::make_span(
sha1_hash_attr->data, sha1_hash_attr->data + sha1_hash_attr->len);
DVLOG(1) << "found trust object for sha1 "
<< base::HexEncode(trust_obj_sha1);
if (!std::equal(trust_obj_sha1.begin(), trust_obj_sha1.end(),
cert_sha1.begin(), cert_sha1.end())) {
DVLOG(1) << "trust object does not match target cert hash, skipping";
continue;
}
DVLOG(1) << "trust object matches target cert hash";
crypto::ScopedSECItem trust_attr(SECITEM_AllocItem(/*arena=*/nullptr,
/*item=*/nullptr,
/*len=*/0));
rv = PK11_ReadRawAttribute(PK11_TypeGeneric, obj, CKA_TRUST_SERVER_AUTH,
trust_attr.get());
if (rv != SECSuccess) {
DVLOG(1) << "trust object for " << base::HexEncode(trust_obj_sha1)
<< "has no CKA_TRUST_x attr";
continue;
}
DVLOG(1) << "trust "
<< base::HexEncode(base::make_span(
trust_attr->data, trust_attr->data + trust_attr->len))
<< " for sha1 " << base::HexEncode(trust_obj_sha1);
CK_TRUST trust;
if (trust_attr->len != sizeof(trust)) {
DVLOG(1) << "trust is wrong size? skipping";
continue;
}
// This matches how pk11_GetTrustField in NSS converts the raw trust
// object to a CK_TRUST (actually an unsigned long).
// https://searchfox.org/nss/source/lib/pk11wrap/pk11nobj.c#37
memcpy(&trust, trust_attr->data, trust_attr->len);
// This doesn't handle the "TrustAnchorOrLeaf" combination, it's unclear
// how that is represented. But it doesn't really matter since the only
// case that would come up is if someone took one of the NSS builtin
// roots and then also locally marked it as trusted as both a CA and a
// leaf, which is non-sensical. Testing shows that will end up marked as
// CKT_NSS_TRUSTED_DELEGATOR, which is fine.
switch (trust) {
case CKT_NSS_TRUSTED:
if (base::FeatureList::IsEnabled(
features::kTrustStoreTrustedLeafSupport)) {
DVLOG(1) << "CKT_NSS_TRUSTED -> trusted leaf";
return bssl::CertificateTrust::ForTrustedLeaf();
} else {
DVLOG(1) << "CKT_NSS_TRUSTED -> unspecified";
return bssl::CertificateTrust::ForUnspecified();
}
case CKT_NSS_TRUSTED_DELEGATOR: {
DVLOG(1) << "CKT_NSS_TRUSTED_DELEGATOR -> trust anchor";
const bool enforce_anchor_constraints =
IsLocalAnchorConstraintsEnforcementEnabled();
return bssl::CertificateTrust::ForTrustAnchor()
.WithEnforceAnchorConstraints(enforce_anchor_constraints)
.WithEnforceAnchorExpiry(enforce_anchor_constraints);
}
case CKT_NSS_MUST_VERIFY_TRUST:
case CKT_NSS_VALID_DELEGATOR:
DVLOG(1) << "CKT_NSS_MUST_VERIFY_TRUST or CKT_NSS_VALID_DELEGATOR -> "
"unspecified";
return bssl::CertificateTrust::ForUnspecified();
case CKT_NSS_NOT_TRUSTED:
DVLOG(1) << "CKT_NSS_NOT_TRUSTED -> distrusted";
return bssl::CertificateTrust::ForDistrusted();
case CKT_NSS_TRUST_UNKNOWN:
DVLOG(1) << "CKT_NSS_TRUST_UNKNOWN trust value - skip";
break;
default:
DVLOG(1) << "unhandled trust value - skip";
break;
}
}
}
DVLOG(1) << "no suitable NSS trust record found";
return bssl::CertificateTrust::ForUnspecified();
}
bssl::CertificateTrust TrustStoreNSS::GetTrustForNSSTrust(
const CERTCertTrust& trust) const {
unsigned int trust_flags = SEC_GET_TRUST_FLAGS(&trust, trustSSL);
// Determine if the certificate is distrusted.
if ((trust_flags & (CERTDB_TERMINAL_RECORD | CERTDB_TRUSTED_CA |
CERTDB_TRUSTED)) == CERTDB_TERMINAL_RECORD) {
return bssl::CertificateTrust::ForDistrusted();
}
bool is_trusted_ca = false;
bool is_trusted_leaf = false;
const bool enforce_anchor_constraints =
IsLocalAnchorConstraintsEnforcementEnabled();
// Determine if the certificate is a trust anchor.
if ((trust_flags & CERTDB_TRUSTED_CA) == CERTDB_TRUSTED_CA) {
is_trusted_ca = true;
}
if (base::FeatureList::IsEnabled(features::kTrustStoreTrustedLeafSupport)) {
constexpr unsigned int kTrustedPeerBits =
CERTDB_TERMINAL_RECORD | CERTDB_TRUSTED;
if ((trust_flags & kTrustedPeerBits) == kTrustedPeerBits) {
is_trusted_leaf = true;
}
}
if (is_trusted_ca && is_trusted_leaf) {
return bssl::CertificateTrust::ForTrustAnchorOrLeaf()
.WithEnforceAnchorConstraints(enforce_anchor_constraints)
.WithEnforceAnchorExpiry(enforce_anchor_constraints);
} else if (is_trusted_ca) {
return bssl::CertificateTrust::ForTrustAnchor()
.WithEnforceAnchorConstraints(enforce_anchor_constraints)
.WithEnforceAnchorExpiry(enforce_anchor_constraints);
} else if (is_trusted_leaf) {
return bssl::CertificateTrust::ForTrustedLeaf();
}
return bssl::CertificateTrust::ForUnspecified();
}
} // namespace net