SSL services: Difference between revisions

No edit summary
No edit summary
Line 68: Line 68:


== SetDebugOption ==
== SetDebugOption ==
Takes an input u32 '''DebugOptionType''' and a type-0x5 input buffer, no output.
Takes an input u32 [[#DebugOptionType]] and a type-0x5 input buffer, no output.


The input u32 value must be 0, and the buffer addr/size must not be 0.
The input u32 value must be 0, and the buffer addr/size must not be 0.
Line 77: Line 77:


== GetDebugOption ==
== GetDebugOption ==
Takes an input u32 '''DebugOptionType''' and a type-0x6 output buffer.
Takes an input u32 [[#DebugOptionType]] and a type-0x6 output buffer.


Same as [[#SetDebugOption]] except this copies state to the buffer instead.
Same as [[#SetDebugOption]] except this copies state to the buffer instead.
Line 314: Line 314:


= SslVersion =
= SslVersion =
This is the "nn::ssl::sf::SslVersion" / "nn::ssl::Context::SslVersion" enum.
This is "nn::ssl::sf::SslVersion" or "nn::ssl::Context::SslVersion".
 
{| class="wikitable" border="1"
|-
! Value
! Description
|-
| 0x1 || Auto
|-
| 0x8 || TlsV10
|-
| 0x10 || TlsV11
|-
| 0x20 || TlsV12
|}
 
= DebugOptionType =
This is "nn::ssl::sf::DebugOptionType" or "nn::ssl::DebugOption".
 
{| class="wikitable" border="1"
|-
! Value
! Description
|-
| 0 || AllowDisableVerifyOption
|}


= FlushSessionCacheOptionType =
= FlushSessionCacheOptionType =
This is the "nn::ssl::sf::FlushSessionCacheOptionType" / "nn::ssl::FlushSessionCacheOptionType" enum.
This is "nn::ssl::sf::FlushSessionCacheOptionType" or "nn::ssl::FlushSessionCacheOptionType".


{| class="wikitable" border="1"
{| class="wikitable" border="1"
Line 324: Line 349:
! Description
! Description
|-
|-
| 0 ||  
| 0 || SingleHost
|-
|-
| 1 ||  
| 1 || AllHosts
|}
|}


= BuiltInCertificateInfo =
= BuiltInCertificateInfo =
This is "nn::ssl::BuiltInManager::BuiltInCertificateInfo".
{| class="wikitable" border="1"
{| class="wikitable" border="1"
|-
|-
Line 342: Line 369:
| 0x4
| 0x4
| 0x4
| 0x4
| [[#BuiltinDataStatus]]
| [[#TrustedCertStatus]]
|-
|-
| 0x8
| 0x8
| 0x8
| 0x8
| Data size
| CertificateSize
|-
|-
| 0x10
| 0x10
| 0x8
| 0x8
| Data offset
| CertificateDataOffset
|}
|}


This is the struct returned by [[#GetCertificates]]. Official sw converts this to "nn::ssl::BuiltInManager::BuiltInCertificateInfo" with offset converted to a ptr.
This is the struct returned by [[#GetCertificates]]. It is internally converted from "nn::ssl::detail::BuiltinDataInfo" by copying "nn::ssl::detail::BuiltinDataInfo::BuiltinDataStatus" into [[#TrustedCertStatus]] and official software then further converts this to "nn::ssl::BuiltInManager::BuiltInCertificateInfo" by transforming "CertificateDataOffset" into an actual pointer.
 
= TrustedCertStatus =
This is "nn::ssl::TrustedCertStatus".


= BuiltinDataStatus =
{| class="wikitable" border="1"
{| class="wikitable" border="1"
|-
|-
Line 363: Line 392:
| -1
| -1
| Invalid
| Invalid
|-
| 0
| Removed
|-
|-
| 1
| 1
| Valid
| EnabledTrusted
|-
| 2
| EnabledNotTrusted
|-
| 3
| Revoked
|}
|}


This is the "nn::ssl::detail::BuiltinDataInfo::BuiltinDataStatus" enum.
= CaCertificateId =
This is "nn::ssl::CaCertificateId".


= CaCertificateId =
{| class="wikitable" border="1"
{| class="wikitable" border="1"
|-
|-
Line 376: Line 414:
! Description
! Description
|-
|-
| 1 || Nintendo {...}
| -1 || All
|-
| 1 || NintendoCAG3
|-
| 2 || NintendoClass2CAG3
|-
| 1000 || AmazonRootCA1
|-
| 1001 || StarfieldServicesRootCertificateAuthorityG2
|-
| 1002 || AddTrustExternalCARoot
|-
| 1003 || COMODOCertificationAuthority
|-
| 1004 || UTNDATACorpSGC
|-
| 1005 || UTNUSERFirstHardware
|-
| 1006 || BaltimoreCyberTrustRoot
|-
| 1007 || CybertrustGlobalRoot
|-
| 1008 || VerizonGlobalRootCA
|-
| 1009 || DigiCertAssuredIDRootCA
|-
| 1010 || DigiCertAssuredIDRootG2
|-
| 1011 || DigiCertGlobalRootCA
|-
| 1012 || DigiCertGlobalRootG2
|-
| 1013 || DigiCertHighAssuranceEVRootCA
|-
| 1014 || EntrustnetCertificationAuthority2048
|-
| 1015 || EntrustRootCertificationAuthority
|-
| 1016 || EntrustRootCertificationAuthorityG2
|-
| 1017 || GeoTrustGlobalCA2
|-
| 1018 || GeoTrustGlobalCA
|-
| 1019 || GeoTrustPrimaryCertificationAuthorityG3
|-
| 1020 || GeoTrustPrimaryCertificationAuthority
|-
| 1021 || GlobalSignRootCA
|-
| 1022 || GlobalSignRootCAR2
|-
| 1023 || GlobalSignRootCAR3
|-
| 1024 || GoDaddyClass2CertificationAuthority
|-
| 1025 || GoDaddyRootCertificateAuthorityG2
|-
| 1026 || StarfieldClass2CertificationAuthority
|-
| 1027 || StarfieldRootCertificateAuthorityG2
|-
| 1028 || thawtePrimaryRootCAG3
|-
| 1029 || thawtePrimaryRootCA
|-
| 1030 || VeriSignClass3PublicPrimaryCertificationAuthorityG3
|-
|-
| 2 || Nintendo {...}
| 1031 || VeriSignClass3PublicPrimaryCertificationAuthorityG5
|-
| 1032 || VeriSignUniversalRootCertificationAuthority
|-
| 1033 || DSTRootCAX3
|}
|}
This is the "nn::ssl::CaCertificateId" enum. Note: the above is missing the non-Nintendo certs.


= InternalPki =
= InternalPki =
This is the "nn::ssl::sf::InternalPki" / "nn::ssl::Context::InternalPki" enum.
This is "nn::ssl::sf::InternalPki" or "nn::ssl::Context::InternalPki".
 
An error is thrown by [[#RegisterInternalPki]] when the input value does not match 1.


{| class="wikitable" border="1"
{| class="wikitable" border="1"
Line 393: Line 497:
! Description
! Description
|-
|-
| 1 ||  
| 0 || None
|-
| 1 || DeviceClientCertDefault
|}
|}
An error is thrown by [[#RegisterInternalPki]] when the input value does not match "DeviceClientCertDefault".


= ContextOption =
= ContextOption =
This is the "nn::ssl::sf::ContextOption" / "nn::ssl::Context::ContextOption" enum.
This is "nn::ssl::sf::ContextOption" or "nn::ssl::Context::ContextOption".


{| class="wikitable" border="1"
{| class="wikitable" border="1"
Line 404: Line 512:
! Description
! Description
|-
|-
| 1 ||  
| 0 || None
|-
| 1 || CrlImportDateCheckEnable
|}
|}


= CertificateFormat =
= CertificateFormat =
This is the "nn::ssl::sf::CertificateFormat" / "nn::ssl::CertificateFormat" enum.
This is "nn::ssl::sf::CertificateFormat" or "nn::ssl::CertificateFormat".


{| class="wikitable" border="1"
{| class="wikitable" border="1"
Line 415: Line 525:
! Description
! Description
|-
|-
| 1 ||  
| 1 || Pem
|-
|-
| 2 ||  
| 2 || Der
|}
|}


= VerifyOption =
= VerifyOption =
This is the "nn::ssl::sf::VerifyOption" enum. This is a bitmask.
This is "nn::ssl::sf::VerifyOption". This is a bitmask.
 
Originally ssl-sysmodule ([[#SetVerifyOption]]) just wrote the input field to state. With [5.0.0+] there's now validation for the input, with the value written to state masked with {allowed bitmask}. When [[#SetInterfaceVersion|InterfaceVersion]] is >=0x2, the low 2-bits of VerifyOption must be set, unless {state flag for [[#OptionType]] value 2} is set or [9.0.0+] {bool [[#SetDebugOption|DebugOption]] state flag} is set, otherwise an error is thrown. [6.0.0+]: Following that, if VerifyOption bit4 is set, then VerifyOption & 0x15 must match 0x15 otherwise an error is thrown.


{| class="wikitable" border="1"
{| class="wikitable" border="1"
Line 430: Line 538:
! Description
! Description
|-
|-
| 0 ||  
| 0 || PeerCa
|-
|-
| 1 ||  
| 1 || HostName
|-
|-
| 2 ||  
| 2 || DateCheck
|-
|-
| 3 ||  
| 3 || EvCertPartial
|-
|-
| 4 || [6.0.0+]
| 4 || [6.0.0+] EvPolicyOid
|-
|-
| 5 || [6.0.0+]
| 5 || [6.0.0+] EvCertFingerprint
|}
|}
Originally ssl-sysmodule ([[#SetVerifyOption]]) just wrote the input field to state. With [5.0.0+] there's now validation for the input, with the value written to state masked with {allowed bitmask}. When [[#SetInterfaceVersion|InterfaceVersion]] is >=0x2, the low 2-bits of VerifyOption must be set, unless {state flag for [[#OptionType]] value 2} is set or [9.0.0+] {bool [[#SetDebugOption|DebugOption]] state flag} is set, otherwise an error is thrown. [6.0.0+]: Following that, if VerifyOption bit4 is set, then VerifyOption & 0x15 must match 0x15 otherwise an error is thrown.


= IoMode =
= IoMode =
This is the "nn::ssl::sf::IoMode" / "nn::ssl::Connection::IoMode" enum.
This is "nn::ssl::sf::IoMode" or "nn::ssl::Connection::IoMode".


{| class="wikitable" border="1"
{| class="wikitable" border="1"
Line 451: Line 561:
! Description
! Description
|-
|-
| 1 ||  
| 1 || Blocking
|-
|-
| 2 ||  
| 2 || NonBlocking
|}
|}


= PollEvent =
= PollEvent =
This is the "nn::ssl::sf::PollEvent" / "nn::ssl::Connection::PollEvent" enum. This is a bitmask.
This is "nn::ssl::sf::PollEvent" or "nn::ssl::Connection::PollEvent". This is a bitmask.


{| class="wikitable" border="1"
{| class="wikitable" border="1"
Line 464: Line 574:
! Description
! Description
|-
|-
| 0 ||  
| 0 || Read
|-
|-
| 1 ||  
| 1 || Write
|-
|-
| 2 ||  
| 2 || Except
|}
|}


= SessionCacheMode =
= SessionCacheMode =
This is the "nn::ssl::sf::SessionCacheMode" / "nn::ssl::Connection::SessionCacheMode" enum.
This is "nn::ssl::sf::SessionCacheMode" or "nn::ssl::Connection::SessionCacheMode".


{| class="wikitable" border="1"
{| class="wikitable" border="1"
Line 479: Line 589:
! Description
! Description
|-
|-
| 0 ||  
| 0 || None
|-
|-
| 1 ||  
| 1 || SessionId
|-
|-
| 2 ||  
| 2 || SessionTicket
|}
|}


= RenegotiationMode =
= RenegotiationMode =
This is the "nn::ssl::sf::RenegotiationMode" / "nn::ssl::Connection::RenegotiationMode" enum.
This is "nn::ssl::sf::RenegotiationMode" or "nn::ssl::Connection::RenegotiationMode".


{| class="wikitable" border="1"
{| class="wikitable" border="1"
Line 494: Line 604:
! Description
! Description
|-
|-
| 0 ||  
| 0 || None
|-
|-
| 1 ||  
| 1 || Secure
|}
|}


= OptionType =
= OptionType =
This is the "nn::ssl::sf::OptionType" / "nn::ssl::Connection::OptionType" enum.
This is "nn::ssl::sf::OptionType" or "nn::ssl::Connection::OptionType".
 
{| class="wikitable" border="1"
|-
! Value
! Description
|-
| 0 || DoNotCloseSocket
|-
| 1 || [3.0.0+] GetServerCertChain
|-
| 2 || [5.0.0+] SkipDefaultVerify
|-
| 3 || [9.0.0+] EnableAlpn
|}


This corresponds to bool flags.
This corresponds to bool flags.
"SkipDefaultVerify" is checked by [[#VerifyOption|SetVerifyOption]] and "EnableAlpn" is only available with [[#SetOption_2|SetOption]].
= AlpnProtoState =
This is "nn::ssl::sf::AlpnProtoState" or "nn::ssl::Connection::AlpnProtoState".


{| class="wikitable" border="1"
{| class="wikitable" border="1"
Line 509: Line 638:
! Description
! Description
|-
|-
| 0 ||  
| 0 || NoSupport
|-
|-
| 1 || [3.0.0+]
| 1 || Negotiated
|-
|-
| 2 || [5.0.0+] This flag is checked by [[#VerifyOption|SetVerifyOption]].
| 2 || NoOverlap
|-
|-
| 3 || [9.0.0+] Only available with [[#SetOption_2|SetOption]].
| 3 || Selected
|-
| 4 || EarlyValue
|}
|}
= AlpnProtoState =
This is the "nn::ssl::sf::AlpnProtoState" / "nn::ssl::Connection::AlpnProtoState" enum.


= CipherInfo =
= CipherInfo =
Line 544: Line 672:


These have the following structure:
These have the following structure:
{| class="wikitable" border="1"
{| class="wikitable" border="1"
|-
|-
Line 567: Line 694:
| 0x0
| 0x0
| 0x4
| 0x4
| ID
| Id
|-
|-
| 0x4
| 0x4