Line 7: |
Line 7: |
| | | |
| Note that SystemPrograms generally use [[#RegisterInternalPki]] (see [[libcurl]]). However, [[Internet_Browser|web-applets]] use [[#GetCertificates]] with [[#CaCertificateId]] All - [[#RegisterInternalPki]] is not used. | | Note that SystemPrograms generally use [[#RegisterInternalPki]] (see [[libcurl]]). However, [[Internet_Browser|web-applets]] use [[#GetCertificates]] with [[#CaCertificateId]] All - [[#RegisterInternalPki]] is not used. |
| + | |
| + | This has IPC max_sessions = 0x40. |
| | | |
| {| class="wikitable" border="1" | | {| class="wikitable" border="1" |
Line 123: |
Line 125: |
| | 11 || [3.0.0+] [[#RemoveCrl]] | | | 11 || [3.0.0+] [[#RemoveCrl]] |
| |- | | |- |
− | | 12 || [16.0.0+] ImportClientCertKeyPki | + | | 12 || [16.0.0+] [[#ImportClientCertKeyPki]] |
| |- | | |- |
− | | 13 || [16.0.0+] GeneratePrivateKeyAndCert | + | | 13 || [16.0.0+] [[#GeneratePrivateKeyAndCert]] |
| |} | | |} |
| | | |
Line 154: |
Line 156: |
| | | |
| The certs can be CAs or server certs (no pubkeys). | | The certs can be CAs or server certs (no pubkeys). |
| + | |
| + | The [[#CertificateFormat]] only validated, afterwards it's ignored. |
| | | |
| === ImportClientPki === | | === ImportClientPki === |
Line 185: |
Line 189: |
| === RemoveCrl === | | === RemoveCrl === |
| Takes an input u64 Id, no output. | | Takes an input u64 Id, no output. |
| + | |
| + | === ImportClientCertKeyPki === |
| + | Takes two type-0x5 input buffers and a [[#CertificateFormat]], returns an output u64 Id. |
| + | |
| + | This imports the specified client cert (first inbuf) and key (second inbuf). The [[#CertificateFormat]] controls the format for the cert and key. |
| + | |
| + | === GeneratePrivateKeyAndCert === |
| + | Takes two type-0x6 output buffers, a type-0x5 input buffer containing a [[#KeyAndCertParams]], and an u32, returns two output u32s. |
| + | |
| + | Official sw passes hard-coded value 1 for the u32. Sysmodule will throw an error if the u32 is not value 1. |
| + | |
| + | The input buffer size must match the size of [[#KeyAndCertParams]] (0x58-bytes). |
| + | |
| + | This generates a self-signed DER cert/key with algo sha256WithRSAEncryption, with the cert expiring in exactly 30 days from the begin-timestamp. |
| + | |
| + | The first outbuf contains the cert, the second outbuf contains the key. The output u32s are the actual output size of the cert and key. |
| + | |
| + | Sample cert: |
| + | |
| + | Certificate: |
| + | Data: |
| + | Version: 1 (0x0) |
| + | Serial Number: {...} |
| + | Signature Algorithm: sha256WithRSAEncryption |
| + | Issuer: CN = {input} |
| + | Validity |
| + | Not Before: {...} |
| + | Not After : {...} |
| + | Subject: CN = {input} |
| + | Subject Public Key Info: |
| + | Public Key Algorithm: rsaEncryption |
| + | Public-Key: {input bit-size} |
| + | Modulus: |
| + | {...} |
| + | Exponent: {input} |
| + | Signature Algorithm: sha256WithRSAEncryption |
| + | Signature Value: |
| + | {...} |
| | | |
| === ISslConnection === | | === ISslConnection === |
Line 249: |
Line 291: |
| | 27 || [9.0.0+] [[#GetNextAlpnProto]] | | | 27 || [9.0.0+] [[#GetNextAlpnProto]] |
| |- | | |- |
− | | 28 || [16.0.0+] SetDtlsSocketDescriptor | + | | 28 || [16.0.0+] [[#SetDtlsSocketDescriptor]] |
| |- | | |- |
− | | 29 || [16.0.0+] GetDtlsHandshakeTimeout | + | | 29 || [16.0.0+] [[#GetDtlsHandshakeTimeout]] |
| |- | | |- |
− | | 30 || [16.0.0+] SetPrivateOption | + | | 30 || [16.0.0+] [[#SetPrivateOption]] |
| |- | | |- |
− | | 31 || [16.0.0+] SetSrtpCiphers | + | | 31 || [16.0.0+] [[#SetSrtpCiphers]] |
| |- | | |- |
− | | 32 || [16.0.0+] GetSrtpCipher | + | | 32 || [16.0.0+] [[#GetSrtpCipher]] |
| |- | | |- |
− | | 33 || [16.0.0+] ExportKeyingMaterial | + | | 33 || [16.0.0+] [[#ExportKeyingMaterial]] |
| |- | | |- |
− | | 34 || [16.0.0+] SetIoTimeout | + | | 34 || [16.0.0+] [[#SetIoTimeout]] |
| |- | | |- |
− | | 35 || [16.0.0+] GetIoTimeout | + | | 35 || [16.0.0+] [[#GetIoTimeout]] |
| |} | | |} |
| | | |
Line 437: |
Line 479: |
| | | |
| The output will be all-zero/empty if not available - such as when this was used before DoHandshake*. | | The output will be all-zero/empty if not available - such as when this was used before DoHandshake*. |
| + | |
| + | ==== SetDtlsSocketDescriptor ==== |
| + | Takes an input s32 sockfd and a type-0x5 input buffer, returns an output s32 sockfd. |
| + | |
| + | The input buffer contains a "nn::socket::SockAddr". |
| + | |
| + | The input buffer must be at least 0x10-bytes and the byte at buf+0 must match the buffer size, otherwise an error is thrown. Then the same func is called as [[#SetSocketDescriptor]] internally, except this passes the input buffer for the SockAddr, while SetSocketDescriptor passes NULL for SockAddr. |
| + | |
| + | ==== GetDtlsHandshakeTimeout ==== |
| + | Takes a type-0x6 output buffer containing a "nn::TimeSpan". |
| + | |
| + | The buffer size must be 0x8. |
| + | |
| + | ==== SetPrivateOption ==== |
| + | Takes an input bool and an [[#OptionType]], no output. |
| + | |
| + | [17.0.0+] Takes an input u32 value and an [[#OptionType]], no output. |
| + | |
| + | ==== SetSrtpCiphers ==== |
| + | Takes a type-0x5 input buffer, no output. |
| + | |
| + | The buffer must be aligned to 2-bytes. The buffer contains an array of u16s, a maximum of 4 entries is allowed. Each entry must be value 1-2, otherwise the entry is ignored. |
| + | |
| + | ==== GetSrtpCipher ==== |
| + | No input, returns an output u16. |
| + | |
| + | ==== ExportKeyingMaterial ==== |
| + | Takes a type-0x6 output buffer and two type-0x5 input buffers. |
| + | |
| + | The first inbuf contains the label string. The buffer size must match the output from strnlen(inbuf0, bufsize0), therefore the buffer size must not include the NUL-terminator. |
| + | |
| + | The second inbuf is the optional context data, if specified the buffer size must be <0xFFFF. |
| + | |
| + | This is for standard TLS keying material export. |
| + | |
| + | ==== SetIoTimeout ==== |
| + | Takes an input u32, no output. |
| + | |
| + | This sets a field in the ISslConnection object, then returns 0. |
| + | |
| + | ==== GetIoTimeout ==== |
| + | No input, returns an output u32. |
| + | |
| + | This gets the field set by [[#SetIoTimeout]], then returns 0. |
| | | |
| = ssl:s = | | = ssl:s = |
Line 442: |
Line 528: |
| | | |
| This was added with [15.0.0+]. | | This was added with [15.0.0+]. |
| + | |
| + | This has IPC max_sessions = 0x40. |
| | | |
| {| class="wikitable" border="1" | | {| class="wikitable" border="1" |
Line 469: |
Line 557: |
| | 100 || [[#CreateContextForSystem]] | | | 100 || [[#CreateContextForSystem]] |
| |- | | |- |
− | | 101 || SetThreadCoreMask | + | | 101 || [[#SetThreadCoreMask]] |
| |- | | |- |
− | | 102 || GetThreadCoreMask | + | | 102 || [[#GetThreadCoreMask]] |
| + | |- |
| + | | 103 || [18.0.0+] VerifySignature |
| |} | | |} |
| | | |
| == CreateContextForSystem == | | == CreateContextForSystem == |
− | Unofficial name.
| + | Takes a PID, an input u32 [[#SslVersion]] and an input u64 pid_placeholder. Returns an output [[#ISslContextForSystem]]. |
| + | |
| + | == SetThreadCoreMask == |
| + | Takes an input u64 mask, no output. |
| + | |
| + | An error is thrown if the mask is 0, or if any bits are set which are not present in CoreMask from [[SVC|svcGetInfo]]. |
| + | |
| + | This updates a global field and uses [[SVC|svcSetThreadCoreMask]]. |
| + | |
| + | == GetThreadCoreMask == |
| + | No input, returns an output u64. |
| | | |
− | Takes a PID, an input u32 [[#SslVersion]] and an input u64 pid_placeholder. Returns an output [[#ISslContextForSystem]].
| + | This gets the global field which is also used by [[#SetThreadCoreMask]]. |
| | | |
| == ISslContextForSystem == | | == ISslContextForSystem == |
Line 512: |
Line 612: |
| | 11 || [[#RemoveCrl]] | | | 11 || [[#RemoveCrl]] |
| |- | | |- |
− | | 12 || [16.0.0+] ImportClientCertKeyPki | + | | 12 || [16.0.0+] [[#ImportClientCertKeyPki]] |
| |- | | |- |
− | | 13 || [16.0.0+] GeneratePrivateKeyAndCert | + | | 13 || [16.0.0+] [[#GeneratePrivateKeyAndCert]] |
| |- | | |- |
− | | 100 || [[#CreateConnectionForSystem]] | + | | 100 || [[#CreateConnectionEx]] |
| |} | | |} |
| | | |
− | === CreateConnectionForSystem === | + | === CreateConnectionEx === |
− | Unofficial name.
| |
− | | |
| No input. Returns an [[#ISslConnection]]. | | No input. Returns an [[#ISslConnection]]. |
| | | |
− | This is similar to [[#CreateConnection]], but allows a maximum of 10 connections instead of 8. | + | This is similar to [[#CreateConnection]], but allows a maximum of 10 connections instead of 8. |
| | | |
| = SslVersion = | | = SslVersion = |
Line 540: |
Line 638: |
| | | |
| [14.0.0+] ApiVersion is now 3 and TLS 1.3 is supported again. Auto now uses min=TlsV10 max=((ApiVersion < 3) ? TlsV12 : TlsV13). If too many connection errors arise, TLS now automatically falls back to version 1.2 by setting an internal flag which can be manually cleared with [[#ClearTls12FallbackFlag]]. | | [14.0.0+] ApiVersion is now 3 and TLS 1.3 is supported again. Auto now uses min=TlsV10 max=((ApiVersion < 3) ? TlsV12 : TlsV13). If too many connection errors arise, TLS now automatically falls back to version 1.2 by setting an internal flag which can be manually cleared with [[#ClearTls12FallbackFlag]]. |
| + | |
| + | [17.0.0+] ApiVersion is now 4. |
| | | |
| {| class="wikitable" border="1" | | {| class="wikitable" border="1" |
Line 761: |
Line 861: |
| | 1054 || [12.0.0+] "Security Communication RootCA" | | | 1054 || [12.0.0+] "Security Communication RootCA" |
| |- | | |- |
− | | 1055 || [?+] | + | | 1055 || [15.0.0+] "GlobalSign Root E4" |
| |- | | |- |
− | | 1056 || [?+] | + | | 1056 || [15.0.0+] "GlobalSign Root R4" |
| |- | | |- |
− | | 1057 || [?+] | + | | 1057 || [15.0.0+] "T-TeleSec GlobalRoot Class 2" |
| |- | | |- |
− | | 1058 || [16.0.0+] "T-TeleSec GlobalRoot Class 2" | + | | 1058 || [16.0.0+] "DigiCert TLS ECC P384 Root G5" |
| |- | | |- |
| | 1059 || [16.0.0+] "DigiCert TLS RSA4096 Root G5" | | | 1059 || [16.0.0+] "DigiCert TLS RSA4096 Root G5" |
Line 917: |
Line 1,017: |
| |} | | |} |
| | | |
− | This corresponds to bool flags. At the time of [[#ISslConnection]] object creation, all of these bool flags are cleared. | + | Or in the case of [[#SetPrivateOption]] which is also "nn::ssl::ConnectionPrivate::PrivateOptionType": |
| + | |
| + | {| class="wikitable" border="1" |
| + | |- |
| + | ! Value |
| + | ! Description |
| + | |- |
| + | | 1 || [[#SetSessionCacheMode]] will throw an error if the input [[#SessionCacheMode]] is non-zero and this option flag is set. |
| + | |- |
| + | | 2 || [17.0.0+] This exclusively enables the cipher suite specified in the input u32 passed to [[#SetPrivateOption]] (all other ciphers disabled). |
| + | |} |
| + | |
| + | This corresponds to bool flags. At the time of [[#ISslConnection]] object creation, all of these fields are cleared (excluding PrivateOptionType val1 above?). |
| | | |
| "SkipDefaultVerify" is checked by [[#VerifyOption|SetVerifyOption]] and "EnableAlpn" is only available with [[#SetOption_2|SetOption]]. | | "SkipDefaultVerify" is checked by [[#VerifyOption|SetVerifyOption]] and "EnableAlpn" is only available with [[#SetOption_2|SetOption]]. |
Line 956: |
Line 1,068: |
| |- | | |- |
| | 0x40 || 0x8 || Protocol version string | | | 0x40 || 0x8 || Protocol version string |
| + | |} |
| + | |
| + | = KeyAndCertParams = |
| + | This is "nn::ssl::ContextPrivate::KeyAndCertParams". This is a 0x58-byte struct. |
| + | |
| + | This was added with [16.0.0+]. |
| + | |
| + | The constructor for this in official sw just clears this struct. |
| + | |
| + | {| class="wikitable" border="1" |
| + | |- |
| + | ! Offset |
| + | ! Size |
| + | ! Description |
| + | |- |
| + | | 0x0 || 0x4 || Must be value 1. |
| + | |- |
| + | | 0x4 || 0x4 || s32 Key size in bits. |
| + | |- |
| + | | 0x8 || 0x8 || Public exponent, must be non-zero. Only the low 4-bytes are used. |
| + | |- |
| + | | 0x10 || 0x40 || CN (Common Name) NUL-terminated string. |
| + | |- |
| + | | 0x50 || 0x4 || An error is thrown if this is value 0 or >0x3F. The official wrapper code for [[#GeneratePrivateKeyAndCert]] verifies that this matches the output from <code>strnlen(struct+0x10, 0x40)</code>, however the sysmodule version just throws an error if the strnlen output matches 0x40 (as in no NUL-terminator found). |
| |} | | |} |
| | | |