Closed Bug 790809 Opened 12 years ago Closed 10 years ago

Add libpkix certificate verification callback framework to Certverify

Categories

(Core :: Security: PSM, enhancement)

Product:
Core
Component:
Security: PSM
Type:
enhancement
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla30

People

(Reporter: briansmith, Assigned: cviecco)

References

Details

Attachments

(1 file, 7 obsolete files)

add-callback-for-final-check-verify-libpkix
3.15 KB, patch
keeler
: review+
Details | Diff | Splinter Review 
+++ This bug was initially created as a clone of Bug #744204 +++

In bug 764973, we are adding a callback mechanism to libpkix that allows us to augment libpkix's certificate chain checking with our own additional checks. This is needed by bug 744204, bug 360126, and other bugs, so Camilo is going to split out a dummy "return SECSuccess;" callback from his patches in bug 744204 so that all the dependent work can be done concurrently.
Attached patch interface-part1 (obsolete) — Splinter Review 
assumes patches for bug 764973 to be applied for this patch to work. It also assumes that we always call the callback in a silly if(1==1) condition.
Attached patch interface-part2 (obsolete) — Splinter Review 
Silly me I was using externs, but these are not needed (at least it works on Linux and compiles on the rest) see:  https://tbpl.mozilla.org/?tree=Try&rev=470209c8aff7
Separation of psm interface from the other implementaiton. The only issue that could be troublesome is the use of a 'if(1==1)' condition to help document the case where callback is not needed.
Attachment #660980 - Attachment is obsolete: true
Attachment #660982 - Attachment is obsolete: true
Attachment #660997 - Flags: review?(bsmith)
Attached patch proposed-patch-v2 (obsolete) — Splinter Review 

        Attachment #660997 -
        Attachment is obsolete: true

        Attachment #660997 -
        Flags: review?(bsmith)

        Attachment #664248 -
        Flags: review?(bsmith)

    
    

    
  

      
      
      
      

        Attached patch
          
          
        proposed-patch-v2.1 (obsolete)
        — Splinter Review
      

    


  

        Attachment #664248 -
        Attachment is obsolete: true

        Attachment #664248 -
        Flags: review?(bsmith)

        Attachment #668532 -
        Flags: review?(bsmith)

    
    

    
  


  

        Attachment #668532 -
        Attachment is obsolete: true

        Attachment #668532 -
        Flags: review?(bsmith)

        Attachment #676236 -
        Flags: review?(bsmith)

    
    

    
  
After taking a look at Bug 481656 and Bug 650307. It seems like we should have the callback available from other places of the code. So maybe the callback should reside within 

nsCERTValInParamWrapper.cpp

where a 'constructed' nsCERTValInParamWrapper would have three (optional) params:
hostname, timetocheck, and isEV. 

This way we can al last guarantee that we will be using the same chain wherever we calculate it.

    
    

    
  
(In reply to Camilo Viecco (:cviecco) from comment #7)
> After taking a look at Bug 481656 and Bug 650307. It seems like we should
> have the callback available from other places of the code. So maybe the
> callback should reside within 
> 
> nsCERTValInParamWrapper.cpp
> 
> where a 'constructed' nsCERTValInParamWrapper would have three (optional)
> params:
> hostname, timetocheck, and isEV. 
> 
> This way we can al last guarantee that we will be using the same chain
> wherever we calculate it.

The idea of nsCERTValInParamWrapper is that it is just a cache of the preferences that affect certificate validation. It turns out it wasn't a good idea to cache those values by pre-constructing the CERTValInParams. Instead, we should just store the preferences themselves, and construct a CERTValInParams on the stack before we call CERT_VerifyCert.

Once that is done, then we can create a single VerifyCert function that has the necessary parameters (like the ones you suggested, but not hostname, because we don't always have a hostname when we're validating an SSL certificate; e.g. when we're viewing an SSL certificate from the certificate manager), and which decides whether to call CERT_VerifyCert or CERT_PKIXVerifyCert based on the libpkix preference. Then, we can add the callback logic to just that one VerifyCert function.

    
    

    
  
Comment on attachment 676236 [details] [diff] [review]
psm-chainvalitate-interface v 3 (fix bitrot)

After bug 813418, we will have only one place where we call CERT_PKIXVerifyCert. So, the patch definitely needs to be updated for that.

Within CertVerifier::VerifyCert, we will need to have a callback that is called for every verification to do things like key size checks.

I don't think it is a good idea to create a new CertVerifier for every verification that requires a callback. However, it may be reasonable to create a new CertVerifier instance sometimes, such as for the key pinning stuff; e.g. by creating a new CertVerifier constructor like this:

   CertVerifier(const CertVerifier & base, const KeyPinningInfo & pinningInfo)
       : mOCSPDownloadEnabled(base.mOCSPDownloadEnabled)
       , ....
       , mPinningInfo(pinningInfo)
   {
   }

So, generally the design seems reasonable but we should avoid adding the new copy-constructor-like constructor until we actually need it (e.g. in the key pinning bug).

        Attachment #676236 -
        Flags: review?(bsmith) → review-

    
    

    
  

      
      
      
      

        Attached patch
          
          
        interface post centralization (obsolete)
        — Splinter Review
      

    


  

        Attachment #676236 -
        Attachment is obsolete: true

    
    

    
  
Comment on attachment 711018 [details] [diff] [review]
interface post centralization

This version does not have a fake constructor, instead the state is kept on the stack.

    
    

    
  
Camillo, are you still working on this? Any ETA?
Flags: needinfo?(cviecco)

    
    

    
  
Hello Florian, the goal now is to stop depending on libpkix and use insanity::pkix. Depending on the timing of insanity this will be done or will be marked not to do.
Flags: needinfo?(cviecco)

    
    

    
  


  

        Attachment #711018 -
        Attachment is obsolete: true

    
  
Summary: Add libpkix certificate verification callback framework to SSLServerCertVerification.cpp → Add libpkix certificate verification callback framework to Certverify

    
  

        Attachment #8367649 -
        Flags: review?(dkeeler)

    
    

    
  
Comment on attachment 8367649 [details] [diff] [review]
add-callback-for-final-check-verify-libpkix

Review of attachment 8367649 [details] [diff] [review]:
-----------------------------------------------------------------

Looks good. Just a few items:
- let's skip the state argument for now if we can
- type*, not type *

::: security/certverifier/CertVerifier.cpp
@@ +91,5 @@
>    return SECSuccess;
>  }
>  
> +typedef struct {
> +   //just an example for now

Can we just skip this for now and have the state argument be null until we need it?

@@ +96,5 @@
> +   char *inHostname;
> +}chainValidationCallbackState_t;
> +
> +SECStatus chainValidationCallback(void *state, const CERTCertList *certList,
> +                                  PRBool *chainOK)

void*, CERTCertList*, etc.

@@ +99,5 @@
> +SECStatus chainValidationCallback(void *state, const CERTCertList *certList,
> +                                  PRBool *chainOK)
> +{
> +  chainValidationCallbackState_t *inState = nullptr;
> +  inState = (chainValidationCallbackState_t *)state;

Let's just skip the state argument for now.

@@ +104,5 @@
> +  *chainOK = PR_FALSE;
> +
> +  PR_LOG(gCertVerifierLog, PR_LOG_DEBUG, ("verifycert: Inside the Callback \n"));
> +
> +  //on Sanity failure we fail closed.

nit: space after //

@@ +105,5 @@
> +
> +  PR_LOG(gCertVerifierLog, PR_LOG_DEBUG, ("verifycert: Inside the Callback \n"));
> +
> +  //on Sanity failure we fail closed.
> +  if (NULL == certList) {

nullptr, not NULL. Also, I prefer (certList == nullptr)

@@ +107,5 @@
> +
> +  //on Sanity failure we fail closed.
> +  if (NULL == certList) {
> +    PR_LOG(gCertVerifierLog, PR_LOG_DEBUG, ("verifycert: Short circuit, callback, "
> +                                      "sanity check failed \n"));

indentation/alignment

@@ +120,5 @@
> +  }
> +  *chainOK = PR_TRUE;
> +  return SECSuccess;
> +}
> +

extra empty line

        Attachment #8367649 -
        Flags: review?(dkeeler) → review+

    
    

    
  
https://hg.mozilla.org/mozilla-central/rev/d2afdb4177dd
Status: NEW → RESOLVED
Closed: 10 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla30

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: