SSL services: Difference between revisions
No edit summary |
No edit summary |
||
Line 68: | Line 68: | ||
== SetDebugOption == | == SetDebugOption == | ||
Takes an input u32 | Takes an input u32 [[#DebugOptionType]] and a type-0x5 input buffer, no output. | ||
The input u32 value must be 0, and the buffer addr/size must not be 0. | The input u32 value must be 0, and the buffer addr/size must not be 0. | ||
Line 77: | Line 77: | ||
== GetDebugOption == | == GetDebugOption == | ||
Takes an input u32 | Takes an input u32 [[#DebugOptionType]] and a type-0x6 output buffer. | ||
Same as [[#SetDebugOption]] except this copies state to the buffer instead. | Same as [[#SetDebugOption]] except this copies state to the buffer instead. | ||
Line 314: | Line 314: | ||
= SslVersion = | = SslVersion = | ||
This is | This is "nn::ssl::sf::SslVersion" or "nn::ssl::Context::SslVersion". | ||
{| class="wikitable" border="1" | |||
|- | |||
! Value | |||
! Description | |||
|- | |||
| 0x1 || Auto | |||
|- | |||
| 0x8 || TlsV10 | |||
|- | |||
| 0x10 || TlsV11 | |||
|- | |||
| 0x20 || TlsV12 | |||
|} | |||
= DebugOptionType = | |||
This is "nn::ssl::sf::DebugOptionType" or "nn::ssl::DebugOption". | |||
{| class="wikitable" border="1" | |||
|- | |||
! Value | |||
! Description | |||
|- | |||
| 0 || AllowDisableVerifyOption | |||
|} | |||
= FlushSessionCacheOptionType = | = FlushSessionCacheOptionType = | ||
This is | This is "nn::ssl::sf::FlushSessionCacheOptionType" or "nn::ssl::FlushSessionCacheOptionType". | ||
{| class="wikitable" border="1" | {| class="wikitable" border="1" | ||
Line 324: | Line 349: | ||
! Description | ! Description | ||
|- | |- | ||
| 0 || | | 0 || SingleHost | ||
|- | |- | ||
| 1 || | | 1 || AllHosts | ||
|} | |} | ||
= BuiltInCertificateInfo = | = BuiltInCertificateInfo = | ||
This is "nn::ssl::BuiltInManager::BuiltInCertificateInfo". | |||
{| class="wikitable" border="1" | {| class="wikitable" border="1" | ||
|- | |- | ||
Line 342: | Line 369: | ||
| 0x4 | | 0x4 | ||
| 0x4 | | 0x4 | ||
| [[# | | [[#TrustedCertStatus]] | ||
|- | |- | ||
| 0x8 | | 0x8 | ||
| 0x8 | | 0x8 | ||
| | | CertificateSize | ||
|- | |- | ||
| 0x10 | | 0x10 | ||
| 0x8 | | 0x8 | ||
| | | CertificateDataOffset | ||
|} | |} | ||
This is the struct returned by [[#GetCertificates]]. | This is the struct returned by [[#GetCertificates]]. It is internally converted from "nn::ssl::detail::BuiltinDataInfo" by copying "nn::ssl::detail::BuiltinDataInfo::BuiltinDataStatus" into [[#TrustedCertStatus]] and official software then further converts this to "nn::ssl::BuiltInManager::BuiltInCertificateInfo" by transforming "CertificateDataOffset" into an actual pointer. | ||
= TrustedCertStatus = | |||
This is "nn::ssl::TrustedCertStatus". | |||
{| class="wikitable" border="1" | {| class="wikitable" border="1" | ||
|- | |- | ||
Line 363: | Line 392: | ||
| -1 | | -1 | ||
| Invalid | | Invalid | ||
|- | |||
| 0 | |||
| Removed | |||
|- | |- | ||
| 1 | | 1 | ||
| | | EnabledTrusted | ||
|- | |||
| 2 | |||
| EnabledNotTrusted | |||
|- | |||
| 3 | |||
| Revoked | |||
|} | |} | ||
This is | = CaCertificateId = | ||
This is "nn::ssl::CaCertificateId". | |||
{| class="wikitable" border="1" | {| class="wikitable" border="1" | ||
|- | |- | ||
Line 376: | Line 414: | ||
! Description | ! Description | ||
|- | |- | ||
| 1 || | | -1 || All | ||
|- | |||
| 1 || NintendoCAG3 | |||
|- | |||
| 2 || NintendoClass2CAG3 | |||
|- | |||
| 1000 || AmazonRootCA1 | |||
|- | |||
| 1001 || StarfieldServicesRootCertificateAuthorityG2 | |||
|- | |||
| 1002 || AddTrustExternalCARoot | |||
|- | |||
| 1003 || COMODOCertificationAuthority | |||
|- | |||
| 1004 || UTNDATACorpSGC | |||
|- | |||
| 1005 || UTNUSERFirstHardware | |||
|- | |||
| 1006 || BaltimoreCyberTrustRoot | |||
|- | |||
| 1007 || CybertrustGlobalRoot | |||
|- | |||
| 1008 || VerizonGlobalRootCA | |||
|- | |||
| 1009 || DigiCertAssuredIDRootCA | |||
|- | |||
| 1010 || DigiCertAssuredIDRootG2 | |||
|- | |||
| 1011 || DigiCertGlobalRootCA | |||
|- | |||
| 1012 || DigiCertGlobalRootG2 | |||
|- | |||
| 1013 || DigiCertHighAssuranceEVRootCA | |||
|- | |||
| 1014 || EntrustnetCertificationAuthority2048 | |||
|- | |||
| 1015 || EntrustRootCertificationAuthority | |||
|- | |||
| 1016 || EntrustRootCertificationAuthorityG2 | |||
|- | |||
| 1017 || GeoTrustGlobalCA2 | |||
|- | |||
| 1018 || GeoTrustGlobalCA | |||
|- | |||
| 1019 || GeoTrustPrimaryCertificationAuthorityG3 | |||
|- | |||
| 1020 || GeoTrustPrimaryCertificationAuthority | |||
|- | |||
| 1021 || GlobalSignRootCA | |||
|- | |||
| 1022 || GlobalSignRootCAR2 | |||
|- | |||
| 1023 || GlobalSignRootCAR3 | |||
|- | |||
| 1024 || GoDaddyClass2CertificationAuthority | |||
|- | |||
| 1025 || GoDaddyRootCertificateAuthorityG2 | |||
|- | |||
| 1026 || StarfieldClass2CertificationAuthority | |||
|- | |||
| 1027 || StarfieldRootCertificateAuthorityG2 | |||
|- | |||
| 1028 || thawtePrimaryRootCAG3 | |||
|- | |||
| 1029 || thawtePrimaryRootCA | |||
|- | |||
| 1030 || VeriSignClass3PublicPrimaryCertificationAuthorityG3 | |||
|- | |- | ||
| | | 1031 || VeriSignClass3PublicPrimaryCertificationAuthorityG5 | ||
|- | |||
| 1032 || VeriSignUniversalRootCertificationAuthority | |||
|- | |||
| 1033 || DSTRootCAX3 | |||
|} | |} | ||
= InternalPki = | = InternalPki = | ||
This is | This is "nn::ssl::sf::InternalPki" or "nn::ssl::Context::InternalPki". | ||
{| class="wikitable" border="1" | {| class="wikitable" border="1" | ||
Line 393: | Line 497: | ||
! Description | ! Description | ||
|- | |- | ||
| 1 || | | 0 || None | ||
|- | |||
| 1 || DeviceClientCertDefault | |||
|} | |} | ||
An error is thrown by [[#RegisterInternalPki]] when the input value does not match "DeviceClientCertDefault". | |||
= ContextOption = | = ContextOption = | ||
This is | This is "nn::ssl::sf::ContextOption" or "nn::ssl::Context::ContextOption". | ||
{| class="wikitable" border="1" | {| class="wikitable" border="1" | ||
Line 404: | Line 512: | ||
! Description | ! Description | ||
|- | |- | ||
| 1 || | | 0 || None | ||
|- | |||
| 1 || CrlImportDateCheckEnable | |||
|} | |} | ||
= CertificateFormat = | = CertificateFormat = | ||
This is | This is "nn::ssl::sf::CertificateFormat" or "nn::ssl::CertificateFormat". | ||
{| class="wikitable" border="1" | {| class="wikitable" border="1" | ||
Line 415: | Line 525: | ||
! Description | ! Description | ||
|- | |- | ||
| 1 || | | 1 || Pem | ||
|- | |- | ||
| 2 || | | 2 || Der | ||
|} | |} | ||
= VerifyOption = | = VerifyOption = | ||
This is | This is "nn::ssl::sf::VerifyOption". This is a bitmask. | ||
{| class="wikitable" border="1" | {| class="wikitable" border="1" | ||
Line 430: | Line 538: | ||
! Description | ! Description | ||
|- | |- | ||
| 0 || | | 0 || PeerCa | ||
|- | |- | ||
| 1 || | | 1 || HostName | ||
|- | |- | ||
| 2 || | | 2 || DateCheck | ||
|- | |- | ||
| 3 || | | 3 || EvCertPartial | ||
|- | |- | ||
| 4 || [6.0.0+] | | 4 || [6.0.0+] EvPolicyOid | ||
|- | |- | ||
| 5 || [6.0.0+] | | 5 || [6.0.0+] EvCertFingerprint | ||
|} | |} | ||
Originally ssl-sysmodule ([[#SetVerifyOption]]) just wrote the input field to state. With [5.0.0+] there's now validation for the input, with the value written to state masked with {allowed bitmask}. When [[#SetInterfaceVersion|InterfaceVersion]] is >=0x2, the low 2-bits of VerifyOption must be set, unless {state flag for [[#OptionType]] value 2} is set or [9.0.0+] {bool [[#SetDebugOption|DebugOption]] state flag} is set, otherwise an error is thrown. [6.0.0+]: Following that, if VerifyOption bit4 is set, then VerifyOption & 0x15 must match 0x15 otherwise an error is thrown. | |||
= IoMode = | = IoMode = | ||
This is | This is "nn::ssl::sf::IoMode" or "nn::ssl::Connection::IoMode". | ||
{| class="wikitable" border="1" | {| class="wikitable" border="1" | ||
Line 451: | Line 561: | ||
! Description | ! Description | ||
|- | |- | ||
| 1 || | | 1 || Blocking | ||
|- | |- | ||
| 2 || | | 2 || NonBlocking | ||
|} | |} | ||
= PollEvent = | = PollEvent = | ||
This is | This is "nn::ssl::sf::PollEvent" or "nn::ssl::Connection::PollEvent". This is a bitmask. | ||
{| class="wikitable" border="1" | {| class="wikitable" border="1" | ||
Line 464: | Line 574: | ||
! Description | ! Description | ||
|- | |- | ||
| 0 || | | 0 || Read | ||
|- | |- | ||
| 1 || | | 1 || Write | ||
|- | |- | ||
| 2 || | | 2 || Except | ||
|} | |} | ||
= SessionCacheMode = | = SessionCacheMode = | ||
This is | This is "nn::ssl::sf::SessionCacheMode" or "nn::ssl::Connection::SessionCacheMode". | ||
{| class="wikitable" border="1" | {| class="wikitable" border="1" | ||
Line 479: | Line 589: | ||
! Description | ! Description | ||
|- | |- | ||
| 0 || | | 0 || None | ||
|- | |- | ||
| 1 || | | 1 || SessionId | ||
|- | |- | ||
| 2 || | | 2 || SessionTicket | ||
|} | |} | ||
= RenegotiationMode = | = RenegotiationMode = | ||
This is | This is "nn::ssl::sf::RenegotiationMode" or "nn::ssl::Connection::RenegotiationMode". | ||
{| class="wikitable" border="1" | {| class="wikitable" border="1" | ||
Line 494: | Line 604: | ||
! Description | ! Description | ||
|- | |- | ||
| 0 || | | 0 || None | ||
|- | |- | ||
| 1 || | | 1 || Secure | ||
|} | |} | ||
= OptionType = | = OptionType = | ||
This is | This is "nn::ssl::sf::OptionType" or "nn::ssl::Connection::OptionType". | ||
{| class="wikitable" border="1" | |||
|- | |||
! Value | |||
! Description | |||
|- | |||
| 0 || DoNotCloseSocket | |||
|- | |||
| 1 || [3.0.0+] GetServerCertChain | |||
|- | |||
| 2 || [5.0.0+] SkipDefaultVerify | |||
|- | |||
| 3 || [9.0.0+] EnableAlpn | |||
|} | |||
This corresponds to bool flags. | This corresponds to bool flags. | ||
"SkipDefaultVerify" is checked by [[#VerifyOption|SetVerifyOption]] and "EnableAlpn" is only available with [[#SetOption_2|SetOption]]. | |||
= AlpnProtoState = | |||
This is "nn::ssl::sf::AlpnProtoState" or "nn::ssl::Connection::AlpnProtoState". | |||
{| class="wikitable" border="1" | {| class="wikitable" border="1" | ||
Line 509: | Line 638: | ||
! Description | ! Description | ||
|- | |- | ||
| 0 || | | 0 || NoSupport | ||
|- | |- | ||
| 1 || | | 1 || Negotiated | ||
|- | |- | ||
| 2 || | | 2 || NoOverlap | ||
|- | |- | ||
| 3 || | | 3 || Selected | ||
|- | |||
| 4 || EarlyValue | |||
|} | |} | ||
= CipherInfo = | = CipherInfo = | ||
Line 544: | Line 672: | ||
These have the following structure: | These have the following structure: | ||
{| class="wikitable" border="1" | {| class="wikitable" border="1" | ||
|- | |- | ||
Line 567: | Line 694: | ||
| 0x0 | | 0x0 | ||
| 0x4 | | 0x4 | ||
| | | Id | ||
|- | |- | ||
| 0x4 | | 0x4 |