nagai/fune
3
0
Fork 0
forked from mirrors/gecko-dev
Code Pull requests Activity
fune/security/manager/ssl/RemoteSecuritySettings.jsm
Cristian Tuns b3bf09cc0d Backed out 6 changesets (bug 1816934, bug 1817182, bug 1817179, bug 1817183) for causing dt failures in browser_jsterm_autocomplete_null.js CLOSED TREE 
Backed out changeset 17d4c013ed92 (bug 1817183)
Backed out changeset cfed8d9c23f3 (bug 1817183)
Backed out changeset 62fe2f589efe (bug 1817182)
Backed out changeset 557bd773fb85 (bug 1817179)
Backed out changeset 7f8a7865868b (bug 1816934)
Backed out changeset d6c1d4c0d2a0 (bug 1816934)
2023-02-17 10:51:33 -05:00

719 lines
22 KiB
JavaScript
Raw Blame History

/* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/. */
"use strict";
const EXPORTED_SYMBOLS = ["RemoteSecuritySettings"];
const { RemoteSettings } = ChromeUtils.import(
"resource://services-settings/remote-settings.js"
);
const { XPCOMUtils } = ChromeUtils.importESModule(
"resource://gre/modules/XPCOMUtils.sys.mjs"
);
const { X509 } = ChromeUtils.import("resource://gre/modules/psm/X509.jsm");
const SECURITY_STATE_BUCKET = "security-state";
const SECURITY_STATE_SIGNER = "onecrl.content-signature.mozilla.org";
const INTERMEDIATES_DL_PER_POLL_PREF =
"security.remote_settings.intermediates.downloads_per_poll";
const INTERMEDIATES_DL_PARALLEL_REQUESTS =
"security.remote_settings.intermediates.parallel_downloads";
const INTERMEDIATES_ENABLED_PREF =
"security.remote_settings.intermediates.enabled";
const LOGLEVEL_PREF = "browser.policies.loglevel";
const CRLITE_FILTERS_ENABLED_PREF =
"security.remote_settings.crlite_filters.enabled";
const lazy = {};
XPCOMUtils.defineLazyGetter(lazy, "gTextDecoder", () => new TextDecoder());
XPCOMUtils.defineLazyGetter(lazy, "log", () => {
let { ConsoleAPI } = ChromeUtils.importESModule(
"resource://gre/modules/Console.sys.mjs"
);
return new ConsoleAPI({
prefix: "RemoteSecuritySettings.jsm",
// tip: set maxLogLevel to "debug" and use log.debug() to create detailed
// messages during development. See LOG_LEVELS in Console.sys.mjs for details.
maxLogLevel: "error",
maxLogLevelPref: LOGLEVEL_PREF,
});
});
// Converts a JS string to an array of bytes consisting of the char code at each
// index in the string.
function stringToBytes(s) {
let b = [];
for (let i = 0; i < s.length; i++) {
b.push(s.charCodeAt(i));
}
return b;
}
// Converts an array of bytes to a JS string using fromCharCode on each byte.
function bytesToString(bytes) {
if (bytes.length > 65535) {
throw new Error("input too long for bytesToString");
}
return String.fromCharCode.apply(null, bytes);
}
class CRLiteCoverage {
constructor(b64LogID, minTimestamp, maxTimestamp) {
this.b64LogID = b64LogID;
this.minTimestamp = minTimestamp;
this.maxTimestamp = maxTimestamp;
}
}
CRLiteCoverage.prototype.QueryInterface = ChromeUtils.generateQI([
"nsICRLiteCoverage",
]);
class CertInfo {
constructor(cert, subject) {
this.cert = cert;
this.subject = subject;
this.trust = Ci.nsICertStorage.TRUST_INHERIT;
}
}
CertInfo.prototype.QueryInterface = ChromeUtils.generateQI(["nsICertInfo"]);
class RevocationState {
constructor(state) {
this.state = state;
}
}
class IssuerAndSerialRevocationState extends RevocationState {
constructor(issuer, serial, state) {
super(state);
this.issuer = issuer;
this.serial = serial;
}
}
IssuerAndSerialRevocationState.prototype.QueryInterface = ChromeUtils.generateQI(
["nsIIssuerAndSerialRevocationState"]
);
class SubjectAndPubKeyRevocationState extends RevocationState {
constructor(subject, pubKey, state) {
super(state);
this.subject = subject;
this.pubKey = pubKey;
}
}
SubjectAndPubKeyRevocationState.prototype.QueryInterface = ChromeUtils.generateQI(
["nsISubjectAndPubKeyRevocationState"]
);
function setRevocations(certStorage, revocations) {
return new Promise(resolve =>
certStorage.setRevocations(revocations, resolve)
);
}
/**
* Helper function that returns a promise that will resolve with whether or not
* the nsICertStorage implementation has prior data of the given type.
*
* @param {Integer} dataType a Ci.nsICertStorage.DATA_TYPE_* constant
* indicating the type of data
* @returns {Promise} a promise that will resolve with true if the data type is
* present
*/
function hasPriorData(dataType) {
let certStorage = Cc["@mozilla.org/security/certstorage;1"].getService(
Ci.nsICertStorage
);
return new Promise(resolve => {
certStorage.hasPriorData(dataType, (rv, hasPriorData) => {
if (rv == Cr.NS_OK) {
resolve(hasPriorData);
} else {
// If calling hasPriorData failed, assume we need to reload everything
// (even though it's unlikely doing so will succeed).
resolve(false);
}
});
});
}
/**
* Revoke the appropriate certificates based on the records from the blocklist.
*
* @param {object} options
* @param {object} options.data Current records in the local db.
* @param {Array} options.data.current
* @param {Array} options.data.created
* @param {Array} options.data.updated
* @param {Array} options.data.deleted
*/
const updateCertBlocklist = async function({
data: { current, created, updated, deleted },
}) {
let items = [];
// See if we have prior revocation data (this can happen when we can't open
// the database and we have to re-create it (see bug 1546361)).
let hasPriorRevocationData = await hasPriorData(
Ci.nsICertStorage.DATA_TYPE_REVOCATION
);
// If we don't have prior data, make it so we re-load everything.
if (!hasPriorRevocationData) {
deleted = [];
updated = [];
created = current;
}
let toDelete = deleted.concat(updated.map(u => u.old));
for (let item of toDelete) {
if (item.issuerName && item.serialNumber) {
items.push(
new IssuerAndSerialRevocationState(
item.issuerName,
item.serialNumber,
Ci.nsICertStorage.STATE_UNSET
)
);
} else if (item.subject && item.pubKeyHash) {
items.push(
new SubjectAndPubKeyRevocationState(
item.subject,
item.pubKeyHash,
Ci.nsICertStorage.STATE_UNSET
)
);
}
}
const toAdd = created.concat(updated.map(u => u.new));
for (let item of toAdd) {
if (item.issuerName && item.serialNumber) {
items.push(
new IssuerAndSerialRevocationState(
item.issuerName,
item.serialNumber,
Ci.nsICertStorage.STATE_ENFORCE
)
);
} else if (item.subject && item.pubKeyHash) {
items.push(
new SubjectAndPubKeyRevocationState(
item.subject,
item.pubKeyHash,
Ci.nsICertStorage.STATE_ENFORCE
)
);
}
}
try {
const certList = Cc["@mozilla.org/security/certstorage;1"].getService(
Ci.nsICertStorage
);
await setRevocations(certList, items);
} catch (e) {
lazy.log.error(e);
}
};
var RemoteSecuritySettings = {
_initialized: false,
OneCRLBlocklistClient: null,
IntermediatePreloadsClient: null,
CRLiteFiltersClient: null,
/**
* Initialize the clients (cheap instantiation) and setup their sync event.
* This static method is called from BrowserGlue.sys.mjs soon after startup.
*
* @returns {object} instantiated clients for security remote settings.
*/
init() {
// Avoid repeated initialization (work-around for bug 1730026).
if (this._initialized) {
return this;
}
this._initialized = true;
this.OneCRLBlocklistClient = RemoteSettings("onecrl", {
bucketName: SECURITY_STATE_BUCKET,
signerName: SECURITY_STATE_SIGNER,
});
this.OneCRLBlocklistClient.on("sync", updateCertBlocklist);
this.IntermediatePreloadsClient = new IntermediatePreloads();
this.CRLiteFiltersClient = new CRLiteFilters();
this.CRLiteFiltersClient.cleanAttachmentCache();
return this;
},
};
class IntermediatePreloads {
constructor() {
this.client = RemoteSettings("intermediates", {
bucketName: SECURITY_STATE_BUCKET,
signerName: SECURITY_STATE_SIGNER,
localFields: ["cert_import_complete"],
});
this.client.on("sync", this.onSync.bind(this));
Services.obs.addObserver(
this.onObservePollEnd.bind(this),
"remote-settings:changes-poll-end"
);
lazy.log.debug("Intermediate Preloading: constructor");
}
async updatePreloadedIntermediates() {
if (!Services.prefs.getBoolPref(INTERMEDIATES_ENABLED_PREF, true)) {
lazy.log.debug("Intermediate Preloading is disabled");
Services.obs.notifyObservers(
null,
"remote-security-settings:intermediates-updated",
"disabled"
);
return;
}
// Download attachments that are awaiting download, up to a max.
const maxDownloadsPerRun = Services.prefs.getIntPref(
INTERMEDIATES_DL_PER_POLL_PREF,
100
);
const parallelDownloads = Services.prefs.getIntPref(
INTERMEDIATES_DL_PARALLEL_REQUESTS,
8
);
// Bug 1519256: Move this to a separate method that's on a separate timer
// with a higher frequency (so we can attempt to download outstanding
// certs more than once daily)
// See if we have prior cert data (this can happen when we can't open the database and we
// have to re-create it (see bug 1546361)).
let hasPriorCertData = await hasPriorData(
Ci.nsICertStorage.DATA_TYPE_CERTIFICATE
);
// If we don't have prior data, make it so we re-load everything.
if (!hasPriorCertData) {
let current;
try {
current = await this.client.db.list();
} catch (err) {
lazy.log.warn(
`Unable to list intermediate preloading collection: ${err}`
);
return;
}
const toReset = current.filter(record => record.cert_import_complete);
try {
await this.client.db.importChanges(
undefined, // do not touch metadata.
undefined, // do not touch collection timestamp.
toReset.map(r => ({ ...r, cert_import_complete: false }))
);
} catch (err) {
lazy.log.warn(
`Unable to update intermediate preloading collection: ${err}`
);
return;
}
}
let current;
try {
current = await this.client.db.list();
} catch (err) {
lazy.log.warn(
`Unable to list intermediate preloading collection: ${err}`
);
return;
}
const waiting = current.filter(record => !record.cert_import_complete);
lazy.log.debug(
`There are ${waiting.length} intermediates awaiting download.`
);
if (!waiting.length) {
// Nothing to do.
Services.obs.notifyObservers(
null,
"remote-security-settings:intermediates-updated",
"success"
);
return;
}
let toDownload = waiting.slice(0, maxDownloadsPerRun);
let recordsCertsAndSubjects = [];
for (let i = 0; i < toDownload.length; i += parallelDownloads) {
const chunk = toDownload.slice(i, i + parallelDownloads);
const downloaded = await Promise.all(
chunk.map(record => this.maybeDownloadAttachment(record))
);
recordsCertsAndSubjects = recordsCertsAndSubjects.concat(downloaded);
}
let certInfos = [];
let recordsToUpdate = [];
for (let { record, cert, subject } of recordsCertsAndSubjects) {
if (cert && subject) {
certInfos.push(new CertInfo(cert, subject));
recordsToUpdate.push(record);
}
}
const certStorage = Cc["@mozilla.org/security/certstorage;1"].getService(
Ci.nsICertStorage
);
let result = await new Promise(resolve => {
certStorage.addCerts(certInfos, resolve);
}).catch(err => err);
if (result != Cr.NS_OK) {
lazy.log.error(`certStorage.addCerts failed: ${result}`);
return;
}
try {
await this.client.db.importChanges(
undefined, // do not touch metadata.
undefined, // do not touch collection timestamp.
recordsToUpdate.map(r => ({ ...r, cert_import_complete: true }))
);
} catch (err) {
lazy.log.warn(
`Unable to update intermediate preloading collection: ${err}`
);
return;
}
Services.obs.notifyObservers(
null,
"remote-security-settings:intermediates-updated",
"success"
);
}
async onObservePollEnd(subject, topic, data) {
lazy.log.debug(`onObservePollEnd ${subject} ${topic}`);
try {
await this.updatePreloadedIntermediates();
} catch (err) {
lazy.log.warn(`Unable to update intermediate preloads: ${err}`);
}
}
// This method returns a promise to RemoteSettingsClient.maybeSync method.
async onSync({ data: { current, created, updated, deleted } }) {
if (!Services.prefs.getBoolPref(INTERMEDIATES_ENABLED_PREF, true)) {
lazy.log.debug("Intermediate Preloading is disabled");
return;
}
lazy.log.debug(`Removing ${deleted.length} Intermediate certificates`);
await this.removeCerts(deleted);
}
/**
* Attempts to download the attachment, assuming it's not been processed
* already. Does not retry, and always resolves (e.g., does not reject upon
* failure.) Errors are reported via console.error.
*
* @param {AttachmentRecord} record defines which data to obtain
* @returns {Promise} a Promise that will resolve to an object with the properties
* record, cert, and subject. record is the original record.
* cert is the base64-encoded bytes of the downloaded certificate (if
* downloading was successful), and null otherwise.
* subject is the base64-encoded bytes of the subject distinguished
* name of the same.
*/
async maybeDownloadAttachment(record) {
let result = { record, cert: null, subject: null };
let dataAsString = null;
try {
let buffer = await this.client.attachments.downloadAsBytes(record, {
retries: 0,
});
dataAsString = lazy.gTextDecoder.decode(new Uint8Array(buffer));
} catch (err) {
if (err.name == "BadContentError") {
lazy.log.debug(`Bad attachment content.`);
} else {
lazy.log.error(`Failed to download attachment: ${err}`);
}
return result;
}
let certBase64;
let subjectBase64;
try {
// split off the header and footer
certBase64 = dataAsString.split("-----")[2].replace(/\s/g, "");
// get an array of bytes so we can use X509.jsm
let certBytes = stringToBytes(atob(certBase64));
let cert = new X509.Certificate();
cert.parse(certBytes);
// get the DER-encoded subject and get a base64-encoded string from it
// TODO(bug 1542028): add getters for _der and _bytes
subjectBase64 = btoa(
bytesToString(cert.tbsCertificate.subject._der._bytes)
);
} catch (err) {
lazy.log.error(`Failed to decode cert: ${err}`);
return result;
}
result.cert = certBase64;
result.subject = subjectBase64;
return result;
}
async maybeSync(expectedTimestamp, options) {
return this.client.maybeSync(expectedTimestamp, options);
}
async removeCerts(recordsToRemove) {
let certStorage = Cc["@mozilla.org/security/certstorage;1"].getService(
Ci.nsICertStorage
);
let hashes = recordsToRemove.map(record => record.derHash);
let result = await new Promise(resolve => {
certStorage.removeCertsByHashes(hashes, resolve);
}).catch(err => err);
if (result != Cr.NS_OK) {
lazy.log.error(`Failed to remove some intermediate certificates`);
}
}
}
// Helper function to compare filters. One filter is "less than" another filter (i.e. it sorts
// earlier) if its timestamp is farther in the past than the other.
function compareFilters(filterA, filterB) {
return filterA.effectiveTimestamp - filterB.effectiveTimestamp;
}
class CRLiteFilters {
constructor() {
this.client = RemoteSettings("cert-revocations", {
bucketName: SECURITY_STATE_BUCKET,
signerName: SECURITY_STATE_SIGNER,
localFields: ["loaded_into_cert_storage"],
});
Services.obs.addObserver(
this.onObservePollEnd.bind(this),
"remote-settings:changes-poll-end"
);
}
async cleanAttachmentCache() {
// Bug 1795710 - misuse of Remote Settings `downloadToDisk` caused us to
// keep filters and stashes on disk indefinitely. We're no longer caching
// these downloads, so if there are any filters still in the cache they can
// be removed.
let cachePath = PathUtils.join(
PathUtils.localProfileDir,
...this.client.attachments.folders
);
try {
let needCleanup = await IOUtils.exists(cachePath);
if (needCleanup) {
let cacheFiles = await IOUtils.getChildren(cachePath);
let staleFilters = cacheFiles.filter(
path => path.endsWith("filter") || path.endsWith("filter.stash")
);
if (cacheFiles.length == staleFilters.length) {
// Expected case. No files other than filters, we can remove the
// entire directory
await IOUtils.remove(cachePath, { recursive: true });
} else {
for (let filter of staleFilters) {
await IOUtils.remove(filter);
}
}
}
} catch (e) {
lazy.log.error("Could not clean cert-revocations attachment cache", e);
}
}
async onObservePollEnd(subject, topic, data) {
if (!Services.prefs.getBoolPref(CRLITE_FILTERS_ENABLED_PREF, true)) {
lazy.log.debug("CRLite filter downloading is disabled");
Services.obs.notifyObservers(
null,
"remote-security-settings:crlite-filters-downloaded",
"disabled"
);
return;
}
let hasPriorFilter = await hasPriorData(
Ci.nsICertStorage.DATA_TYPE_CRLITE_FILTER_FULL
);
if (!hasPriorFilter) {
let current = await this.client.db.list();
let toReset = current.filter(
record => !record.incremental && record.loaded_into_cert_storage
);
await this.client.db.importChanges(
undefined, // do not touch metadata.
undefined, // do not touch collection timestamp.
toReset.map(r => ({ ...r, loaded_into_cert_storage: false }))
);
}
let hasPriorStash = await hasPriorData(
Ci.nsICertStorage.DATA_TYPE_CRLITE_FILTER_INCREMENTAL
);
if (!hasPriorStash) {
let current = await this.client.db.list();
let toReset = current.filter(
record => record.incremental && record.loaded_into_cert_storage
);
await this.client.db.importChanges(
undefined, // do not touch metadata.
undefined, // do not touch collection timestamp.
toReset.map(r => ({ ...r, loaded_into_cert_storage: false }))
);
}
let current = await this.client.db.list();
let fullFilters = current.filter(filter => !filter.incremental);
if (fullFilters.length < 1) {
lazy.log.debug("no full CRLite filters to download?");
Services.obs.notifyObservers(
null,
"remote-security-settings:crlite-filters-downloaded",
"unavailable"
);
return;
}
fullFilters.sort(compareFilters);
lazy.log.debug("fullFilters:", fullFilters);
let fullFilter = fullFilters.pop(); // the most recent filter sorts last
let incrementalFilters = current.filter(
filter =>
// Return incremental filters that are more recent than (i.e. sort later than) the full
// filter.
filter.incremental && compareFilters(filter, fullFilter) > 0
);
incrementalFilters.sort(compareFilters);
// Map of id to filter where that filter's parent has the given id.
let parentIdMap = {};
for (let filter of incrementalFilters) {
if (filter.parent in parentIdMap) {
lazy.log.debug(`filter with parent id ${filter.parent} already seen?`);
} else {
parentIdMap[filter.parent] = filter;
}
}
let filtersToDownload = [];
let nextFilter = fullFilter;
while (nextFilter) {
filtersToDownload.push(nextFilter);
nextFilter = parentIdMap[nextFilter.id];
}
const certList = Cc["@mozilla.org/security/certstorage;1"].getService(
Ci.nsICertStorage
);
filtersToDownload = filtersToDownload.filter(
filter => !filter.loaded_into_cert_storage
);
lazy.log.debug("filtersToDownload:", filtersToDownload);
let filtersDownloaded = [];
for (let filter of filtersToDownload) {
try {
let attachment = await this.client.attachments.downloadAsBytes(filter);
let bytes = new Uint8Array(attachment);
lazy.log.debug(
`Downloaded ${filter.details.name}: ${bytes.length} bytes`
);
filter.bytes = bytes;
filtersDownloaded.push(filter);
} catch (e) {
lazy.log.error("failed to download CRLite filter", e);
}
}
let fullFiltersDownloaded = filtersDownloaded.filter(
filter => !filter.incremental
);
if (fullFiltersDownloaded.length) {
if (fullFiltersDownloaded.length > 1) {
lazy.log.warn("trying to install more than one full CRLite filter?");
}
let filter = fullFiltersDownloaded[0];
let coverage = [];
if (filter.coverage) {
for (let entry of filter.coverage) {
coverage.push(
new CRLiteCoverage(
entry.logID,
entry.minTimestamp,
entry.maxTimestamp
)
);
}
}
let enrollment = filter.enrolledIssuers ? filter.enrolledIssuers : [];
await new Promise(resolve => {
certList.setFullCRLiteFilter(filter.bytes, enrollment, coverage, rv => {
lazy.log.debug(`setFullCRLiteFilter: ${rv}`);
resolve();
});
});
}
let stashes = filtersDownloaded.filter(filter => filter.incremental);
let totalLength = stashes.reduce(
(sum, filter) => sum + filter.bytes.length,
0
);
let concatenatedStashes = new Uint8Array(totalLength);
let offset = 0;
for (let filter of stashes) {
concatenatedStashes.set(filter.bytes, offset);
offset += filter.bytes.length;
}
if (concatenatedStashes.length) {
lazy.log.debug(
`adding concatenated incremental updates of total length ${concatenatedStashes.length}`
);
await new Promise(resolve => {
certList.addCRLiteStash(concatenatedStashes, rv => {
lazy.log.debug(`addCRLiteStash: ${rv}`);
resolve();
});
});
}
for (let filter of filtersDownloaded) {
delete filter.bytes;
}
await this.client.db.importChanges(
undefined, // do not touch metadata.
undefined, // do not touch collection timestamp.
filtersDownloaded.map(r => ({ ...r, loaded_into_cert_storage: true }))
);
Services.obs.notifyObservers(
null,
"remote-security-settings:crlite-filters-downloaded",
`finished;${filtersDownloaded
.map(filter => filter.details.name)
.join(",")}`
);
}
}
View git blame Copy permalink