Difference between revisions of "SSL services"

From Nintendo Switch Brew
Jump to navigation Jump to search
Line 26: Line 26:
  
 
== GetCertificates ==
 
== GetCertificates ==
Takes a type-0x6 output buffer and a type-0x5 input buffer containing an array of s32 '''CaCertificateId'''.
+
Takes a type-0x6 output buffer and a type-0x5 input buffer containing an array of [[#CaCertificateId]].
  
[3.0.0+] This now returns 4-bytes of output.
+
[3.0.0+] This now returns an output u32 for actual total output entries.
 +
 
 +
The output buffer starts with an array of [[#BuiltInCertificateInfo]], with the DER cert data following afterwards.
  
 
== GetCertificateBufSize ==
 
== GetCertificateBufSize ==
Takes a type-0x5 input buffer containing an array of s32 '''CaCertificateId''', returns an output u32 for the size to use with [[#GetCertificates]].
+
Takes a type-0x5 input buffer containing an array of [[#CaCertificateId]], returns an output u32 for the size to use with [[#GetCertificates]].
  
 
== DebugIoctl ==
 
== DebugIoctl ==
Line 139: Line 141:
 
| 25 || [4.0.0+] GetCipherInfo
 
| 25 || [4.0.0+] GetCipherInfo
 
|}
 
|}
 +
 +
= BuiltInCertificateInfo =
 +
{| class="wikitable" border="1"
 +
|-
 +
! Offset
 +
! Size
 +
! Description
 +
|-
 +
| 0x0
 +
| 0x4
 +
| CaCertificateId
 +
|-
 +
| 0x4
 +
| 0x4
 +
| [[#BuiltinDataStatus]]
 +
|-
 +
| 0x8
 +
| 0x8
 +
| Data size
 +
|-
 +
| 0x10
 +
| 0x8
 +
| Data offset
 +
|}
 +
 +
This is the struct returned by [[#GetCertificates]]. Official sw converts this to "nn::ssl::BuiltInManager::BuiltInCertificateInfo" with offset converted to a ptr.
 +
 +
= BuiltinDataStatus =
 +
{| class="wikitable" border="1"
 +
|-
 +
! Value
 +
! Description
 +
|-
 +
| -1
 +
| Invalid
 +
|-
 +
| 1
 +
| Valid
 +
|}
 +
 +
This is the "nn::ssl::detail::BuiltinDataInfo::BuiltinDataStatus" enum.
 +
 +
= CaCertificateId =
 +
{| class="wikitable" border="1"
 +
|-
 +
! Value
 +
! Description
 +
|-
 +
| 1
 +
| Nintendo {...}
 +
|-
 +
| 2
 +
| Nintendo {...}
 +
|}
 +
 +
This is the "nn::ssl::CaCertificateId" enum.
  
 
= Client cert+privk =
 
= Client cert+privk =

Revision as of 16:59, 2 July 2019

ssl

This is "nn::ssl::sf::ISslService".

Cmd Name
0 CreateContext
1 GetContextCount
2 #GetCertificates
3 #GetCertificateBufSize
4 [3.0.0+] #DebugIoctl
5 [3.0.0+] SetInterfaceVersion
6 [5.0.0+] FlushSessionCache
7 [6.0.0+] #SetDebugOption
8 [6.0.0+] #GetDebugOption

GetCertificates

Takes a type-0x6 output buffer and a type-0x5 input buffer containing an array of #CaCertificateId.

[3.0.0+] This now returns an output u32 for actual total output entries.

The output buffer starts with an array of #BuiltInCertificateInfo, with the DER cert data following afterwards.

GetCertificateBufSize

Takes a type-0x5 input buffer containing an array of #CaCertificateId, returns an output u32 for the size to use with #GetCertificates.

DebugIoctl

Stubbed on retail, just returns an error.

SetDebugOption

Takes an input u32 DebugOptionType and a type-0x5 input buffer, no output.

The input u32 value must be 0, and the buffer addr/size must not be 0.

The u8 at buf+0 is copied to state.

GetDebugOption

Takes an input u32 DebugOptionType and a type-0x6 output buffer.

Same as #SetDebugOption except this copies state to the buffer instead.

ISslContext

This is "nn::ssl::sf::ISslContext".

Cmd Name
0 SetOption
1 GetOption
2 CreateConnection
3 GetConnectionCount
4 ImportServerPki
5 ImportClientPki
6 RemoveServerPki
7 RemoveClientPki
8 RegisterInternalPki
9 AddPolicyOid
10 [3.0.0+] ImportCrl
11 [3.0.0+] RemoveCrl

ISslConnection

This is "nn::ssl::sf::ISslConnection".

Cmd Name
0 SetSocketDescriptor
1 SetHostName
2 SetVerifyOption
3 SetIoMode
4 GetSocketDescriptor
5 GetHostName
6 GetVerifyOption
7 GetIoMode
8 DoHandshake
9 DoHandshakeGetServerCert
10 Read
11 Write
12 Pending
13 Peek
14 Poll
15 GetVerifyCertError
16 GetNeededServerCertBufferSize
17 SetSessionCacheMode
18 GetSessionCacheMode
19 FlushSessionCache
20 SetRenegotiationMode
21 GetRenegotiationMode
22 SetOption
23 GetOption
24 GetVerifyCertErrors
25 [4.0.0+] GetCipherInfo

BuiltInCertificateInfo

Offset Size Description
0x0 0x4 CaCertificateId
0x4 0x4 #BuiltinDataStatus
0x8 0x8 Data size
0x10 0x8 Data offset

This is the struct returned by #GetCertificates. Official sw converts this to "nn::ssl::BuiltInManager::BuiltInCertificateInfo" with offset converted to a ptr.

BuiltinDataStatus

Value Description
-1 Invalid
1 Valid

This is the "nn::ssl::detail::BuiltinDataInfo::BuiltinDataStatus" enum.

CaCertificateId

Value Description
1 Nintendo {...}
2 Nintendo {...}

This is the "nn::ssl::CaCertificateId" enum.

Client cert+privk

SSL-sysmodule uses set:cal GetSslKey and GetSslCert. The rest of this section documents handling for the former, which can be decrypted with SPL.

key* below refers to the 3 0x10-byte input blocks passed to this code.

When actual_size is:

  • 0x100+0x10: If the u32 actual_size is less than (u32)-0x11, and the last 0x10-bytes of the actual-data are all-zero, the data is copied to the output as raw plaintext. If a non-zero byte is found, it will continue with SPL usage, skipping over the SPL block for the devunit flag. In this case, key=key0 and the flag passed to SPL later is set to 0.
  • 0x100+0x30: Size must match this if it's not the above, otherwise error 0xC81A is returned. The flag passed to SPL later is set to 1 in this case. Runs the devunit-flag-block: uses SPL_services#SPL#GetDevunitFlag. key = key1 when out_flag!=0, key2 otherwise.
Retrieved from "https://switchbrew.org/w/index.php?title=SSL_services&oldid=7104"