Bug 1275714 - Changes in preparation for FlyWeb landing. Add ability …

…to pin using a cert fingerprint, in addition to using a cert. r=dkeeler

--HG--
extra : amend_source : 41336f6eeaf5e26b91e177dd60a91ad9ed3a064c

security/manager/ssl/nsCertOverrideService.cpp

@@ -209,7 +209,7 @@ nsCertOverrideService::Read()
    *   where override-mask is a sequence of characters,
    *     M meaning hostname-Mismatch-override
    *     U meaning Untrusted-override
-   *     T meaning Time-error-override (expired/not yet valid) 
+   *     T meaning Time-error-override (expired/not yet valid)
    *
    * if this format isn't respected we move onto the next line in the file.
    */
@@ -252,8 +252,8 @@ nsCertOverrideService::Read()
       continue; // Ignore broken entries
 
     host.Truncate(portIndex);
-    
-    AddEntryToList(host, port, 
+
+    AddEntryToList(host, port,
                    nullptr, // don't have the cert
                    false, // not temporary
                    algo_string, fingerprint, bits, db_key);
@@ -345,7 +345,7 @@ nsCertOverrideService::Write()
 
 static nsresult
 GetCertFingerprintByOidTag(nsIX509Cert *aCert,
-                           SECOidTag aOidTag, 
+                           SECOidTag aOidTag,
                            nsCString &fp)
 {
   UniqueCERTCertificate nsscert(aCert->GetCert());
@@ -405,19 +405,44 @@ nsCertOverrideService::RememberValidityOverride(const nsACString& aHostName,
     AddEntryToList(aHostName, aPort,
                    aTemporary ? aCert : nullptr,
                      // keep a reference to the cert for temporary overrides
-                   aTemporary, 
-                   mDottedOidForStoringNewHashes, fpStr, 
-                   (nsCertOverride::OverrideBits)aOverrideBits, 
+                   aTemporary,
+                   mDottedOidForStoringNewHashes, fpStr,
+                   (nsCertOverride::OverrideBits)aOverrideBits,
                    dbkey);
-    Write();
+    if (!aTemporary) {
+      Write();
+    }
   }
 
   return NS_OK;
 }
 
+NS_IMETHODIMP
+nsCertOverrideService::RememberTemporaryValidityOverrideUsingFingerprint(
+  const nsACString& aHostName,
+  int32_t aPort,
+  const nsACString& aCertFingerprint,
+  uint32_t aOverrideBits)
+{
+  if(aCertFingerprint.IsEmpty() || aHostName.IsEmpty() || (aPort < -1)) {
+    return NS_ERROR_INVALID_ARG;
+  }
+
+  ReentrantMonitorAutoEnter lock(monitor);
+  AddEntryToList(aHostName, aPort,
+                 nullptr, // No cert to keep alive
+                 true, // temporary
+                 mDottedOidForStoringNewHashes,
+                 aCertFingerprint,
+                 (nsCertOverride::OverrideBits)aOverrideBits,
+                 EmptyCString());  // dbkey
+
+  return NS_OK;
+}
+
 NS_IMETHODIMP
 nsCertOverrideService::HasMatchingOverride(const nsACString & aHostName, int32_t aPort,
-                                           nsIX509Cert *aCert, 
+                                           nsIX509Cert *aCert,
                                            uint32_t *aOverrideBits,
                                            bool *aIsTemporary,
                                            bool *_retval)
@@ -441,10 +466,10 @@ nsCertOverrideService::HasMatchingOverride(const nsACString & aHostName, int32_t
   {
     ReentrantMonitorAutoEnter lock(monitor);
     nsCertOverrideEntry *entry = mSettingsTable.GetEntry(hostPort.get());
-  
+
     if (!entry)
       return NS_OK;
-  
+
     settings = entry->mSettings; // copy
   }
 
@@ -472,8 +497,8 @@ nsCertOverrideService::HasMatchingOverride(const nsACString & aHostName, int32_t
 
 NS_IMETHODIMP
 nsCertOverrideService::GetValidityOverride(const nsACString & aHostName, int32_t aPort,
-                                           nsACString & aHashAlg, 
-                                           nsACString & aFingerprint, 
+                                           nsACString & aHashAlg,
+                                           nsACString & aFingerprint,
                                            uint32_t *aOverrideBits,
                                            bool *aIsTemporary,
                                            bool *_found)
@@ -491,7 +516,7 @@ nsCertOverrideService::GetValidityOverride(const nsACString & aHostName, int32_t
   {
     ReentrantMonitorAutoEnter lock(monitor);
     nsCertOverrideEntry *entry = mSettingsTable.GetEntry(hostPort.get());
-  
+
     if (entry) {
       *_found = true;
       settings = entry->mSettings; // copy
@@ -512,7 +537,7 @@ nsresult
 nsCertOverrideService::AddEntryToList(const nsACString &aHostName, int32_t aPort,
                                       nsIX509Cert *aCert,
                                       const bool aIsTemporary,
-                                      const nsACString &fingerprintAlgOID, 
+                                      const nsACString &fingerprintAlgOID,
                                       const nsACString &fingerprint,
                                       nsCertOverride::OverrideBits ob,
                                       const nsACString &dbKey)
@@ -598,7 +623,7 @@ matchesDBKey(nsIX509Cert* cert, const nsCString& matchDbKey)
 }
 
 NS_IMETHODIMP
-nsCertOverrideService::IsCertUsedForOverrides(nsIX509Cert *aCert, 
+nsCertOverrideService::IsCertUsedForOverrides(nsIX509Cert *aCert,
                                               bool aCheckTemporaries,
                                               bool aCheckPermanents,
                                               uint32_t *_retval)
@@ -611,14 +636,13 @@ nsCertOverrideService::IsCertUsedForOverrides(nsIX509Cert *aCert,
     ReentrantMonitorAutoEnter lock(monitor);
     for (auto iter = mSettingsTable.Iter(); !iter.Done(); iter.Next()) {
       const nsCertOverride &settings = iter.Get()->mSettings;
-      bool still_ok = true;
 
       if (( settings.mIsTemporary && !aCheckTemporaries) ||
           (!settings.mIsTemporary && !aCheckPermanents)) {
-        still_ok = false;
+        continue;
       }
 
-      if (still_ok && matchesDBKey(aCert, settings.mDBKey)) {
+      if (matchesDBKey(aCert, settings.mDBKey)) {
         nsAutoCString cert_fingerprint;
         nsresult rv = NS_ERROR_UNEXPECTED;
         if (settings.mFingerprintAlgOID.Equals(mDottedOidForStoringNewHashes)) {

security/manager/ssl/nsICertOverrideService.idl

@@ -15,8 +15,8 @@ interface nsIX509Cert;
 
 /**
  * This represents the global list of triples
- *   {host:port, cert-fingerprint, allowed-overrides} 
- * that the user wants to accept without further warnings. 
+ *   {host:port, cert-fingerprint, allowed-overrides}
+ * that the user wants to accept without further warnings.
  */
 [scriptable, uuid(be019e47-22fc-4355-9f16-9ab047d6742d)]
 interface nsICertOverrideService : nsISupports {
@@ -48,7 +48,7 @@ interface nsICertOverrideService : nsISupports {
    *  which only exhibit some subset of errors.
    *
    *  @param aHostName The host (punycode) this mapping belongs to
-   *  @param aPort The port this mapping belongs to, if it is -1 then it 
+   *  @param aPort The port this mapping belongs to, if it is -1 then it
    *          is internaly treated as 443
    *  @param aCert The cert that should always be accepted
    *  @param aOverrideBits The precise set of errors we want to be overriden
@@ -59,6 +59,25 @@ interface nsICertOverrideService : nsISupports {
                                 in uint32_t aOverrideBits,
                                 in boolean aTemporary);
 
+  /**
+   *  Certs with the given fingerprint should always be accepted for the
+   *  given hostname:port, regardless of errors verifying the cert.
+   *  Host:Port is a primary key, only one entry per host:port can exist.
+   *  The fingerprint should be an SHA-256 hash of the certificate.
+   *
+   *  @param aHostName The host (punycode) this mapping belongs to
+   *  @param aPort The port this mapping belongs to, if it is -1 then it
+   *          is internaly treated as 443
+   *  @param aCertFingerprint The cert fingerprint that should be accepted, in
+   *          the format 'AA:BB:...' (colon-separated upper-case hex bytes).
+   *  @param aOverrideBits The errors we want to be overriden
+   */
+  void rememberTemporaryValidityOverrideUsingFingerprint(
+      in ACString aHostName,
+      in int32_t aPort,
+      in ACString aCertFingerprint,
+      in uint32_t aOverrideBits);
+
   /**
    *  Return whether this host, port, cert triple has a stored override.
    *  If so, the outparams will contain the specific errors that were
@@ -84,16 +103,16 @@ interface nsICertOverrideService : nsISupports {
    *  Retrieve the stored override for the given hostname:port.
    *
    *  @param aHostName The host (punycode) whose entry should be tested
-   *  @param aPort The port whose entry should be tested, if it is -1 then it 
+   *  @param aPort The port whose entry should be tested, if it is -1 then it
    *          is internaly treated as 443
    *  @param aHashAlg On return value True, the fingerprint hash algorithm
    *                  as an OID value in dotted notation.
-   *  @param aFingerprint On return value True, the stored fingerprint 
+   *  @param aFingerprint On return value True, the stored fingerprint
    *  @param aOverrideBits The errors that are currently overriden
-   *  @return whether a matching override entry for aHostNameWithPort 
+   *  @return whether a matching override entry for aHostNameWithPort
    *          and aFingerprint is currently on file
    */
-  boolean getValidityOverride(in ACString aHostName, 
+  boolean getValidityOverride(in ACString aHostName,
                               in int32_t aPort,
                               out ACString aHashAlg,
                               out ACString aFingerprint,