security/certverifier/NSSCertDBTrustDomain.h@7e26c7da4463 (annotated)
security/certverifier/NSSCertDBTrustDomain.h
Wed, 31 Dec 2014 06:55:50 +0100
- author
- Michael Schloh von Bennewitz <michael@schloh.com>
- date
- Wed, 31 Dec 2014 06:55:50 +0100
- changeset 2
- 7e26c7da4463
- permissions
- -rw-r--r--
Added tag UPSTREAM_283F7C6 for changeset ca08bd8f51b2
| michael@0 | 1 | /* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */ |
| michael@0 | 2 | /* vim: set ts=8 sts=2 et sw=2 tw=80: */ |
| michael@0 | 3 | /* This Source Code Form is subject to the terms of the Mozilla Public |
| michael@0 | 4 | * License, v. 2.0. If a copy of the MPL was not distributed with this |
| michael@0 | 5 | * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ |
| michael@0 | 6 | |
| michael@0 | 7 | #ifndef mozilla_psm__NSSCertDBTrustDomain_h |
| michael@0 | 8 | #define mozilla_psm__NSSCertDBTrustDomain_h |
| michael@0 | 9 | |
| michael@0 | 10 | #include "pkix/pkixtypes.h" |
| michael@0 | 11 | #include "secmodt.h" |
| michael@0 | 12 | #include "CertVerifier.h" |
| michael@0 | 13 | |
| michael@0 | 14 | namespace mozilla { namespace psm { |
| michael@0 | 15 | |
| michael@0 | 16 | SECStatus InitializeNSS(const char* dir, bool readOnly); |
| michael@0 | 17 | |
| michael@0 | 18 | void DisableMD5(); |
| michael@0 | 19 | |
| michael@0 | 20 | extern const char BUILTIN_ROOTS_MODULE_DEFAULT_NAME[]; |
| michael@0 | 21 | |
| michael@0 | 22 | void PORT_Free_string(char* str); |
| michael@0 | 23 | |
| michael@0 | 24 | // The dir parameter is the path to the directory containing the NSS builtin |
| michael@0 | 25 | // roots module. Usually this is the same as the path to the other NSS shared |
| michael@0 | 26 | // libraries. If it is null then the (library) path will be searched. |
| michael@0 | 27 | // |
| michael@0 | 28 | // The modNameUTF8 parameter should usually be |
| michael@0 | 29 | // BUILTIN_ROOTS_MODULE_DEFAULT_NAME. |
| michael@0 | 30 | SECStatus LoadLoadableRoots(/*optional*/ const char* dir, |
| michael@0 | 31 | const char* modNameUTF8); |
| michael@0 | 32 | |
| michael@0 | 33 | void UnloadLoadableRoots(const char* modNameUTF8); |
| michael@0 | 34 | |
| michael@0 | 35 | // Controls the OCSP fetching behavior of the classic verification mode. In the |
| michael@0 | 36 | // classic mode, the OCSP fetching behavior is set globally instead of per |
| michael@0 | 37 | // validation. |
| michael@0 | 38 | void |
| michael@0 | 39 | SetClassicOCSPBehavior(CertVerifier::ocsp_download_config enabled, |
| michael@0 | 40 | CertVerifier::ocsp_strict_config strict, |
| michael@0 | 41 | CertVerifier::ocsp_get_config get); |
| michael@0 | 42 | |
| michael@0 | 43 | // Caller must free the result with PR_Free |
| michael@0 | 44 | char* DefaultServerNicknameForCert(CERTCertificate* cert); |
| michael@0 | 45 | |
| michael@0 | 46 | void SaveIntermediateCerts(const mozilla::pkix::ScopedCERTCertList& certList); |
| michael@0 | 47 | |
| michael@0 | 48 | class NSSCertDBTrustDomain : public mozilla::pkix::TrustDomain |
| michael@0 | 49 | { |
| michael@0 | 50 | |
| michael@0 | 51 | public: |
| michael@0 | 52 | enum OCSPFetching { |
| michael@0 | 53 | NeverFetchOCSP = 0, |
| michael@0 | 54 | FetchOCSPForDVSoftFail = 1, |
| michael@0 | 55 | FetchOCSPForDVHardFail = 2, |
| michael@0 | 56 | FetchOCSPForEV = 3, |
| michael@0 | 57 | LocalOnlyOCSPForEV = 4, |
| michael@0 | 58 | }; |
| michael@0 | 59 | NSSCertDBTrustDomain(SECTrustType certDBTrustType, OCSPFetching ocspFetching, |
| michael@0 | 60 | OCSPCache& ocspCache, void* pinArg, |
| michael@0 | 61 | CERTChainVerifyCallback* checkChainCallback = nullptr); |
| michael@0 | 62 | |
| michael@0 | 63 | virtual SECStatus FindPotentialIssuers( |
| michael@0 | 64 | const SECItem* encodedIssuerName, |
| michael@0 | 65 | PRTime time, |
| michael@0 | 66 | /*out*/ mozilla::pkix::ScopedCERTCertList& results); |
| michael@0 | 67 | |
| michael@0 | 68 | virtual SECStatus GetCertTrust(mozilla::pkix::EndEntityOrCA endEntityOrCA, |
| michael@0 | 69 | SECOidTag policy, |
| michael@0 | 70 | const CERTCertificate* candidateCert, |
| michael@0 | 71 | /*out*/ TrustLevel* trustLevel); |
| michael@0 | 72 | |
| michael@0 | 73 | virtual SECStatus VerifySignedData(const CERTSignedData* signedData, |
| michael@0 | 74 | const CERTCertificate* cert); |
| michael@0 | 75 | |
| michael@0 | 76 | virtual SECStatus CheckRevocation(mozilla::pkix::EndEntityOrCA endEntityOrCA, |
| michael@0 | 77 | const CERTCertificate* cert, |
| michael@0 | 78 | /*const*/ CERTCertificate* issuerCert, |
| michael@0 | 79 | PRTime time, |
| michael@0 | 80 | /*optional*/ const SECItem* stapledOCSPResponse); |
| michael@0 | 81 | |
| michael@0 | 82 | virtual SECStatus IsChainValid(const CERTCertList* certChain); |
| michael@0 | 83 | |
| michael@0 | 84 | private: |
| michael@0 | 85 | enum EncodedResponseSource { |
| michael@0 | 86 | ResponseIsFromNetwork = 1, |
| michael@0 | 87 | ResponseWasStapled = 2 |
| michael@0 | 88 | }; |
| michael@0 | 89 | static const PRTime ServerFailureDelay = 5 * 60 * PR_USEC_PER_SEC; |
| michael@0 | 90 | SECStatus VerifyAndMaybeCacheEncodedOCSPResponse( |
| michael@0 | 91 | const CERTCertificate* cert, CERTCertificate* issuerCert, PRTime time, |
| michael@0 | 92 | uint16_t maxLifetimeInDays, const SECItem* encodedResponse, |
| michael@0 | 93 | EncodedResponseSource responseSource, /*out*/ bool& expired); |
| michael@0 | 94 | |
| michael@0 | 95 | const SECTrustType mCertDBTrustType; |
| michael@0 | 96 | const OCSPFetching mOCSPFetching; |
| michael@0 | 97 | OCSPCache& mOCSPCache; // non-owning! |
| michael@0 | 98 | void* mPinArg; // non-owning! |
| michael@0 | 99 | CERTChainVerifyCallback* mCheckChainCallback; // non-owning! |
| michael@0 | 100 | }; |
| michael@0 | 101 | |
| michael@0 | 102 | } } // namespace mozilla::psm |
| michael@0 | 103 | |
| michael@0 | 104 | #endif // mozilla_psm__NSSCertDBTrustDomain_h |
