ssl: add cert store
This commit is contained in:
parent
f297e98a9e
commit
fd718f350c
|
@ -1047,9 +1047,12 @@ add_library(core STATIC
|
||||||
hle/service/spl/spl_module.h
|
hle/service/spl/spl_module.h
|
||||||
hle/service/spl/spl_results.h
|
hle/service/spl/spl_results.h
|
||||||
hle/service/spl/spl_types.h
|
hle/service/spl/spl_types.h
|
||||||
|
hle/service/ssl/cert_store.cpp
|
||||||
|
hle/service/ssl/cert_store.h
|
||||||
hle/service/ssl/ssl.cpp
|
hle/service/ssl/ssl.cpp
|
||||||
hle/service/ssl/ssl.h
|
hle/service/ssl/ssl.h
|
||||||
hle/service/ssl/ssl_backend.h
|
hle/service/ssl/ssl_backend.h
|
||||||
|
hle/service/ssl/ssl_types.h
|
||||||
hle/service/usb/usb.cpp
|
hle/service/usb/usb.cpp
|
||||||
hle/service/usb/usb.h
|
hle/service/usb/usb.h
|
||||||
hle/service/vi/application_display_service.cpp
|
hle/service/vi/application_display_service.cpp
|
||||||
|
|
|
@ -0,0 +1,156 @@
|
||||||
|
// SPDX-FileCopyrightText: Copyright 2024 yuzu Emulator Project
|
||||||
|
// SPDX-License-Identifier: GPL-2.0-or-later
|
||||||
|
|
||||||
|
#include "common/alignment.h"
|
||||||
|
#include "core/core.h"
|
||||||
|
#include "core/file_sys/content_archive.h"
|
||||||
|
#include "core/file_sys/nca_metadata.h"
|
||||||
|
#include "core/file_sys/registered_cache.h"
|
||||||
|
#include "core/file_sys/romfs.h"
|
||||||
|
#include "core/hle/service/filesystem/filesystem.h"
|
||||||
|
#include "core/hle/service/ssl/cert_store.h"
|
||||||
|
|
||||||
|
namespace Service::SSL {
|
||||||
|
|
||||||
|
// https://switchbrew.org/wiki/SSL_services#CertStore
|
||||||
|
|
||||||
|
CertStore::CertStore(Core::System& system) {
|
||||||
|
constexpr u64 CertStoreDataId = 0x0100000000000800ULL;
|
||||||
|
|
||||||
|
auto& fsc = system.GetFileSystemController();
|
||||||
|
|
||||||
|
// Attempt to load certificate data from storage
|
||||||
|
const auto nca =
|
||||||
|
fsc.GetSystemNANDContents()->GetEntry(CertStoreDataId, FileSys::ContentRecordType::Data);
|
||||||
|
if (!nca) {
|
||||||
|
return;
|
||||||
|
}
|
||||||
|
const auto romfs = nca->GetRomFS();
|
||||||
|
if (!romfs) {
|
||||||
|
return;
|
||||||
|
}
|
||||||
|
const auto extracted = FileSys::ExtractRomFS(romfs);
|
||||||
|
if (!extracted) {
|
||||||
|
LOG_ERROR(Service_SSL, "CertStore could not be extracted, corrupt RomFS?");
|
||||||
|
return;
|
||||||
|
}
|
||||||
|
const auto cert_store_file = extracted->GetFile("ssl_TrustedCerts.bdf");
|
||||||
|
if (!cert_store_file) {
|
||||||
|
LOG_ERROR(Service_SSL, "Failed to find trusted certificates in CertStore");
|
||||||
|
return;
|
||||||
|
}
|
||||||
|
|
||||||
|
// Read and verify the header.
|
||||||
|
CertStoreHeader header;
|
||||||
|
cert_store_file->ReadObject(std::addressof(header));
|
||||||
|
|
||||||
|
if (header.magic != Common::MakeMagic('s', 's', 'l', 'T')) {
|
||||||
|
LOG_ERROR(Service_SSL, "Invalid certificate store magic");
|
||||||
|
return;
|
||||||
|
}
|
||||||
|
|
||||||
|
// Ensure the file can contains the number of entries it says it does.
|
||||||
|
const u64 expected_size = sizeof(header) + sizeof(CertStoreEntry) * header.num_entries;
|
||||||
|
const u64 actual_size = cert_store_file->GetSize();
|
||||||
|
if (actual_size < expected_size) {
|
||||||
|
LOG_ERROR(Service_SSL, "Size mismatch, expected at least {} bytes, got {}", expected_size,
|
||||||
|
actual_size);
|
||||||
|
return;
|
||||||
|
}
|
||||||
|
|
||||||
|
// Read entries.
|
||||||
|
std::vector<CertStoreEntry> entries(header.num_entries);
|
||||||
|
cert_store_file->ReadArray(entries.data(), header.num_entries, sizeof(header));
|
||||||
|
|
||||||
|
// Insert into memory store.
|
||||||
|
for (const auto& entry : entries) {
|
||||||
|
m_certs.emplace(entry.certificate_id,
|
||||||
|
Certificate{
|
||||||
|
.status = entry.certificate_status,
|
||||||
|
.der_data = cert_store_file->ReadBytes(
|
||||||
|
entry.der_size, entry.der_offset + sizeof(header)),
|
||||||
|
});
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
CertStore::~CertStore() = default;
|
||||||
|
|
||||||
|
template <typename F>
|
||||||
|
void CertStore::ForEachCertificate(std::span<const CaCertificateId> certificate_ids, F&& f) {
|
||||||
|
if (certificate_ids.size() == 1 && certificate_ids.front() == CaCertificateId::All) {
|
||||||
|
for (const auto& entry : m_certs) {
|
||||||
|
f(entry);
|
||||||
|
}
|
||||||
|
} else {
|
||||||
|
for (const auto certificate_id : certificate_ids) {
|
||||||
|
const auto entry = m_certs.find(certificate_id);
|
||||||
|
if (entry == m_certs.end()) {
|
||||||
|
continue;
|
||||||
|
}
|
||||||
|
f(*entry);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
Result CertStore::GetCertificates(u32* out_num_entries, std::span<u8> out_data,
|
||||||
|
std::span<const CaCertificateId> certificate_ids) {
|
||||||
|
// Ensure the buffer is large enough to hold the output.
|
||||||
|
u32 required_size;
|
||||||
|
R_TRY(this->GetCertificateBufSize(std::addressof(required_size), out_num_entries,
|
||||||
|
certificate_ids));
|
||||||
|
R_UNLESS(out_data.size_bytes() >= required_size, ResultUnknown);
|
||||||
|
|
||||||
|
// Make parallel arrays.
|
||||||
|
std::vector<BuiltInCertificateInfo> cert_infos;
|
||||||
|
std::vector<u8> der_datas;
|
||||||
|
|
||||||
|
const u32 der_data_offset = (*out_num_entries + 1) * sizeof(BuiltInCertificateInfo);
|
||||||
|
u32 cur_der_offset = der_data_offset;
|
||||||
|
|
||||||
|
// Fill output.
|
||||||
|
this->ForEachCertificate(certificate_ids, [&](auto& entry) {
|
||||||
|
const auto& [status, cur_der_data] = entry.second;
|
||||||
|
BuiltInCertificateInfo cert_info{
|
||||||
|
.cert_id = entry.first,
|
||||||
|
.status = status,
|
||||||
|
.der_size = cur_der_data.size(),
|
||||||
|
.der_offset = cur_der_offset,
|
||||||
|
};
|
||||||
|
|
||||||
|
cert_infos.push_back(cert_info);
|
||||||
|
der_datas.insert(der_datas.end(), cur_der_data.begin(), cur_der_data.end());
|
||||||
|
cur_der_offset += static_cast<u32>(cur_der_data.size());
|
||||||
|
});
|
||||||
|
|
||||||
|
// Append terminator entry.
|
||||||
|
cert_infos.push_back(BuiltInCertificateInfo{
|
||||||
|
.cert_id = CaCertificateId::All,
|
||||||
|
.status = TrustedCertStatus::Invalid,
|
||||||
|
.der_size = 0,
|
||||||
|
.der_offset = 0,
|
||||||
|
});
|
||||||
|
|
||||||
|
// Write to output span.
|
||||||
|
std::memcpy(out_data.data(), cert_infos.data(),
|
||||||
|
cert_infos.size() * sizeof(BuiltInCertificateInfo));
|
||||||
|
std::memcpy(out_data.data() + der_data_offset, der_datas.data(), der_datas.size());
|
||||||
|
|
||||||
|
R_SUCCEED();
|
||||||
|
}
|
||||||
|
|
||||||
|
Result CertStore::GetCertificateBufSize(u32* out_size, u32* out_num_entries,
|
||||||
|
std::span<const CaCertificateId> certificate_ids) {
|
||||||
|
// Output size is at least the size of the terminator entry.
|
||||||
|
*out_size = sizeof(BuiltInCertificateInfo);
|
||||||
|
*out_num_entries = 0;
|
||||||
|
|
||||||
|
this->ForEachCertificate(certificate_ids, [&](auto& entry) {
|
||||||
|
*out_size += sizeof(BuiltInCertificateInfo);
|
||||||
|
*out_size += Common::AlignUp(static_cast<u32>(entry.second.der_data.size()), 4);
|
||||||
|
(*out_num_entries)++;
|
||||||
|
});
|
||||||
|
|
||||||
|
R_SUCCEED();
|
||||||
|
}
|
||||||
|
|
||||||
|
} // namespace Service::SSL
|
|
@ -0,0 +1,42 @@
|
||||||
|
// SPDX-FileCopyrightText: Copyright 2024 yuzu Emulator Project
|
||||||
|
// SPDX-License-Identifier: GPL-2.0-or-later
|
||||||
|
|
||||||
|
#pragma once
|
||||||
|
|
||||||
|
#include <map>
|
||||||
|
#include <span>
|
||||||
|
#include <vector>
|
||||||
|
|
||||||
|
#include "core/hle/result.h"
|
||||||
|
#include "core/hle/service/ssl/ssl_types.h"
|
||||||
|
|
||||||
|
namespace Core {
|
||||||
|
class System;
|
||||||
|
}
|
||||||
|
|
||||||
|
namespace Service::SSL {
|
||||||
|
|
||||||
|
class CertStore {
|
||||||
|
public:
|
||||||
|
explicit CertStore(Core::System& system);
|
||||||
|
~CertStore();
|
||||||
|
|
||||||
|
Result GetCertificates(u32* out_num_entries, std::span<u8> out_data,
|
||||||
|
std::span<const CaCertificateId> certificate_ids);
|
||||||
|
Result GetCertificateBufSize(u32* out_size, u32* out_num_entries,
|
||||||
|
std::span<const CaCertificateId> certificate_ids);
|
||||||
|
|
||||||
|
private:
|
||||||
|
template <typename F>
|
||||||
|
void ForEachCertificate(std::span<const CaCertificateId> certs, F&& f);
|
||||||
|
|
||||||
|
private:
|
||||||
|
struct Certificate {
|
||||||
|
TrustedCertStatus status;
|
||||||
|
std::vector<u8> der_data;
|
||||||
|
};
|
||||||
|
|
||||||
|
std::map<CaCertificateId, Certificate> m_certs;
|
||||||
|
};
|
||||||
|
|
||||||
|
} // namespace Service::SSL
|
|
@ -5,11 +5,13 @@
|
||||||
|
|
||||||
#include "core/core.h"
|
#include "core/core.h"
|
||||||
#include "core/hle/result.h"
|
#include "core/hle/result.h"
|
||||||
|
#include "core/hle/service/cmif_serialization.h"
|
||||||
#include "core/hle/service/ipc_helpers.h"
|
#include "core/hle/service/ipc_helpers.h"
|
||||||
#include "core/hle/service/server_manager.h"
|
#include "core/hle/service/server_manager.h"
|
||||||
#include "core/hle/service/service.h"
|
#include "core/hle/service/service.h"
|
||||||
#include "core/hle/service/sm/sm.h"
|
#include "core/hle/service/sm/sm.h"
|
||||||
#include "core/hle/service/sockets/bsd.h"
|
#include "core/hle/service/sockets/bsd.h"
|
||||||
|
#include "core/hle/service/ssl/cert_store.h"
|
||||||
#include "core/hle/service/ssl/ssl.h"
|
#include "core/hle/service/ssl/ssl.h"
|
||||||
#include "core/hle/service/ssl/ssl_backend.h"
|
#include "core/hle/service/ssl/ssl_backend.h"
|
||||||
#include "core/internal_network/network.h"
|
#include "core/internal_network/network.h"
|
||||||
|
@ -492,13 +494,14 @@ private:
|
||||||
|
|
||||||
class ISslService final : public ServiceFramework<ISslService> {
|
class ISslService final : public ServiceFramework<ISslService> {
|
||||||
public:
|
public:
|
||||||
explicit ISslService(Core::System& system_) : ServiceFramework{system_, "ssl"} {
|
explicit ISslService(Core::System& system_)
|
||||||
|
: ServiceFramework{system_, "ssl"}, cert_store{system} {
|
||||||
// clang-format off
|
// clang-format off
|
||||||
static const FunctionInfo functions[] = {
|
static const FunctionInfo functions[] = {
|
||||||
{0, &ISslService::CreateContext, "CreateContext"},
|
{0, &ISslService::CreateContext, "CreateContext"},
|
||||||
{1, nullptr, "GetContextCount"},
|
{1, nullptr, "GetContextCount"},
|
||||||
{2, nullptr, "GetCertificates"},
|
{2, D<&ISslService::GetCertificates>, "GetCertificates"},
|
||||||
{3, nullptr, "GetCertificateBufSize"},
|
{3, D<&ISslService::GetCertificateBufSize>, "GetCertificateBufSize"},
|
||||||
{4, nullptr, "DebugIoctl"},
|
{4, nullptr, "DebugIoctl"},
|
||||||
{5, &ISslService::SetInterfaceVersion, "SetInterfaceVersion"},
|
{5, &ISslService::SetInterfaceVersion, "SetInterfaceVersion"},
|
||||||
{6, nullptr, "FlushSessionCache"},
|
{6, nullptr, "FlushSessionCache"},
|
||||||
|
@ -540,6 +543,22 @@ private:
|
||||||
IPC::ResponseBuilder rb{ctx, 2};
|
IPC::ResponseBuilder rb{ctx, 2};
|
||||||
rb.Push(ResultSuccess);
|
rb.Push(ResultSuccess);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
Result GetCertificateBufSize(
|
||||||
|
Out<u32> out_size, InArray<CaCertificateId, BufferAttr_HipcMapAlias> certificate_ids) {
|
||||||
|
LOG_INFO(Service_SSL, "called");
|
||||||
|
u32 num_entries;
|
||||||
|
R_RETURN(cert_store.GetCertificateBufSize(out_size, &num_entries, certificate_ids));
|
||||||
|
}
|
||||||
|
|
||||||
|
Result GetCertificates(Out<u32> out_num_entries, OutBuffer<BufferAttr_HipcMapAlias> out_buffer,
|
||||||
|
InArray<CaCertificateId, BufferAttr_HipcMapAlias> certificate_ids) {
|
||||||
|
LOG_INFO(Service_SSL, "called");
|
||||||
|
R_RETURN(cert_store.GetCertificates(out_num_entries, out_buffer, certificate_ids));
|
||||||
|
}
|
||||||
|
|
||||||
|
private:
|
||||||
|
CertStore cert_store;
|
||||||
};
|
};
|
||||||
|
|
||||||
void LoopProcess(Core::System& system) {
|
void LoopProcess(Core::System& system) {
|
||||||
|
|
|
@ -0,0 +1,107 @@
|
||||||
|
// SPDX-FileCopyrightText: Copyright 2024 yuzu Emulator Project
|
||||||
|
// SPDX-License-Identifier: GPL-2.0-or-later
|
||||||
|
|
||||||
|
#pragma once
|
||||||
|
|
||||||
|
#include "common/common_types.h"
|
||||||
|
|
||||||
|
namespace Service::SSL {
|
||||||
|
|
||||||
|
enum class CaCertificateId : s32 {
|
||||||
|
All = -1,
|
||||||
|
NintendoCAG3 = 1,
|
||||||
|
NintendoClass2CAG3 = 2,
|
||||||
|
NintendoRootCAG4 = 3,
|
||||||
|
AmazonRootCA1 = 1000,
|
||||||
|
StarfieldServicesRootCertificateAuthorityG2 = 1001,
|
||||||
|
AddTrustExternalCARoot = 1002,
|
||||||
|
COMODOCertificationAuthority = 1003,
|
||||||
|
UTNDATACorpSGC = 1004,
|
||||||
|
UTNUSERFirstHardware = 1005,
|
||||||
|
BaltimoreCyberTrustRoot = 1006,
|
||||||
|
CybertrustGlobalRoot = 1007,
|
||||||
|
VerizonGlobalRootCA = 1008,
|
||||||
|
DigiCertAssuredIDRootCA = 1009,
|
||||||
|
DigiCertAssuredIDRootG2 = 1010,
|
||||||
|
DigiCertGlobalRootCA = 1011,
|
||||||
|
DigiCertGlobalRootG2 = 1012,
|
||||||
|
DigiCertHighAssuranceEVRootCA = 1013,
|
||||||
|
EntrustnetCertificationAuthority2048 = 1014,
|
||||||
|
EntrustRootCertificationAuthority = 1015,
|
||||||
|
EntrustRootCertificationAuthorityG2 = 1016,
|
||||||
|
GeoTrustGlobalCA2 = 1017,
|
||||||
|
GeoTrustGlobalCA = 1018,
|
||||||
|
GeoTrustPrimaryCertificationAuthorityG3 = 1019,
|
||||||
|
GeoTrustPrimaryCertificationAuthority = 1020,
|
||||||
|
GlobalSignRootCA = 1021,
|
||||||
|
GlobalSignRootCAR2 = 1022,
|
||||||
|
GlobalSignRootCAR3 = 1023,
|
||||||
|
GoDaddyClass2CertificationAuthority = 1024,
|
||||||
|
GoDaddyRootCertificateAuthorityG2 = 1025,
|
||||||
|
StarfieldClass2CertificationAuthority = 1026,
|
||||||
|
StarfieldRootCertificateAuthorityG2 = 1027,
|
||||||
|
thawtePrimaryRootCAG3 = 1028,
|
||||||
|
thawtePrimaryRootCA = 1029,
|
||||||
|
VeriSignClass3PublicPrimaryCertificationAuthorityG3 = 1030,
|
||||||
|
VeriSignClass3PublicPrimaryCertificationAuthorityG5 = 1031,
|
||||||
|
VeriSignUniversalRootCertificationAuthority = 1032,
|
||||||
|
DSTRootCAX3 = 1033,
|
||||||
|
USERTrustRsaCertificationAuthority = 1034,
|
||||||
|
ISRGRootX10 = 1035,
|
||||||
|
USERTrustEccCertificationAuthority = 1036,
|
||||||
|
COMODORsaCertificationAuthority = 1037,
|
||||||
|
COMODOEccCertificationAuthority = 1038,
|
||||||
|
AmazonRootCA2 = 1039,
|
||||||
|
AmazonRootCA3 = 1040,
|
||||||
|
AmazonRootCA4 = 1041,
|
||||||
|
DigiCertAssuredIDRootG3 = 1042,
|
||||||
|
DigiCertGlobalRootG3 = 1043,
|
||||||
|
DigiCertTrustedRootG4 = 1044,
|
||||||
|
EntrustRootCertificationAuthorityEC1 = 1045,
|
||||||
|
EntrustRootCertificationAuthorityG4 = 1046,
|
||||||
|
GlobalSignECCRootCAR4 = 1047,
|
||||||
|
GlobalSignECCRootCAR5 = 1048,
|
||||||
|
GlobalSignECCRootCAR6 = 1049,
|
||||||
|
GTSRootR1 = 1050,
|
||||||
|
GTSRootR2 = 1051,
|
||||||
|
GTSRootR3 = 1052,
|
||||||
|
GTSRootR4 = 1053,
|
||||||
|
SecurityCommunicationRootCA = 1054,
|
||||||
|
GlobalSignRootE4 = 1055,
|
||||||
|
GlobalSignRootR4 = 1056,
|
||||||
|
TTeleSecGlobalRootClass2 = 1057,
|
||||||
|
DigiCertTLSECCP384RootG5 = 1058,
|
||||||
|
DigiCertTLSRSA4096RootG5 = 1059,
|
||||||
|
};
|
||||||
|
|
||||||
|
enum class TrustedCertStatus : s32 {
|
||||||
|
Invalid = -1,
|
||||||
|
Removed = 0,
|
||||||
|
EnabledTrusted = 1,
|
||||||
|
EnabledNotTrusted = 2,
|
||||||
|
Revoked = 3,
|
||||||
|
};
|
||||||
|
|
||||||
|
struct BuiltInCertificateInfo {
|
||||||
|
CaCertificateId cert_id;
|
||||||
|
TrustedCertStatus status;
|
||||||
|
u64 der_size;
|
||||||
|
u64 der_offset;
|
||||||
|
};
|
||||||
|
static_assert(sizeof(BuiltInCertificateInfo) == 0x18, "BuiltInCertificateInfo has incorrect size.");
|
||||||
|
|
||||||
|
struct CertStoreHeader {
|
||||||
|
u32 magic;
|
||||||
|
u32 num_entries;
|
||||||
|
};
|
||||||
|
static_assert(sizeof(CertStoreHeader) == 0x8, "CertStoreHeader has incorrect size.");
|
||||||
|
|
||||||
|
struct CertStoreEntry {
|
||||||
|
CaCertificateId certificate_id;
|
||||||
|
TrustedCertStatus certificate_status;
|
||||||
|
u32 der_size;
|
||||||
|
u32 der_offset;
|
||||||
|
};
|
||||||
|
static_assert(sizeof(CertStoreEntry) == 0x10, "CertStoreEntry has incorrect size.");
|
||||||
|
|
||||||
|
} // namespace Service::SSL
|
Reference in New Issue