security/certverifier/CertVerifier.h@b8a032363ba2 (annotated)
security/certverifier/CertVerifier.h
Thu, 22 Jan 2015 13:21:57 +0100
- author
- Michael Schloh von Bennewitz <michael@schloh.com>
- date
- Thu, 22 Jan 2015 13:21:57 +0100
- branch
- TOR_BUG_9701
- changeset 15
- b8a032363ba2
- permissions
- -rw-r--r--
Incorporate requested changes from Mozilla in review:
https://bugzilla.mozilla.org/show_bug.cgi?id=1123480#c6
| michael@0 | 1 | /* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */ |
| michael@0 | 2 | /* vim: set ts=8 sts=2 et sw=2 tw=80: */ |
| michael@0 | 3 | /* This Source Code Form is subject to the terms of the Mozilla Public |
| michael@0 | 4 | * License, v. 2.0. If a copy of the MPL was not distributed with this |
| michael@0 | 5 | * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ |
| michael@0 | 6 | |
| michael@0 | 7 | #ifndef mozilla_psm__CertVerifier_h |
| michael@0 | 8 | #define mozilla_psm__CertVerifier_h |
| michael@0 | 9 | |
| michael@0 | 10 | #include "pkix/pkixtypes.h" |
| michael@0 | 11 | #include "OCSPCache.h" |
| michael@0 | 12 | |
| michael@0 | 13 | namespace mozilla { namespace psm { |
| michael@0 | 14 | |
| michael@0 | 15 | struct ChainValidationCallbackState; |
| michael@0 | 16 | |
| michael@0 | 17 | class CertVerifier |
| michael@0 | 18 | { |
| michael@0 | 19 | public: |
| michael@0 | 20 | typedef unsigned int Flags; |
| michael@0 | 21 | // XXX: FLAG_LOCAL_ONLY is ignored in the classic verification case |
| michael@0 | 22 | static const Flags FLAG_LOCAL_ONLY; |
| michael@0 | 23 | // Don't perform fallback DV validation on EV validation failure. |
| michael@0 | 24 | static const Flags FLAG_MUST_BE_EV; |
| michael@0 | 25 | |
| michael@0 | 26 | // *evOidPolicy == SEC_OID_UNKNOWN means the cert is NOT EV |
| michael@0 | 27 | // Only one usage per verification is supported. |
| michael@0 | 28 | SECStatus VerifyCert(CERTCertificate* cert, |
| michael@0 | 29 | const SECCertificateUsage usage, |
| michael@0 | 30 | const PRTime time, |
| michael@0 | 31 | void* pinArg, |
| michael@0 | 32 | const char* hostname, |
| michael@0 | 33 | const Flags flags = 0, |
| michael@0 | 34 | /*optional in*/ const SECItem* stapledOCSPResponse = nullptr, |
| michael@0 | 35 | /*optional out*/ mozilla::pkix::ScopedCERTCertList* validationChain = nullptr, |
| michael@0 | 36 | /*optional out*/ SECOidTag* evOidPolicy = nullptr , |
| michael@0 | 37 | /*optional out*/ CERTVerifyLog* verifyLog = nullptr); |
| michael@0 | 38 | |
| michael@0 | 39 | SECStatus VerifySSLServerCert( |
| michael@0 | 40 | CERTCertificate* peerCert, |
| michael@0 | 41 | /*optional*/ const SECItem* stapledOCSPResponse, |
| michael@0 | 42 | PRTime time, |
| michael@0 | 43 | /*optional*/ void* pinarg, |
| michael@0 | 44 | const char* hostname, |
| michael@0 | 45 | bool saveIntermediatesInPermanentDatabase = false, |
| michael@0 | 46 | /*optional out*/ mozilla::pkix::ScopedCERTCertList* certChainOut = nullptr, |
| michael@0 | 47 | /*optional out*/ SECOidTag* evOidPolicy = nullptr); |
| michael@0 | 48 | |
| michael@0 | 49 | |
| michael@0 | 50 | enum implementation_config { |
| michael@0 | 51 | classic = 0, |
| michael@0 | 52 | #ifndef NSS_NO_LIBPKIX |
| michael@0 | 53 | libpkix = 1, |
| michael@0 | 54 | #endif |
| michael@0 | 55 | mozillapkix = 2 |
| michael@0 | 56 | }; |
| michael@0 | 57 | |
| michael@0 | 58 | enum pinning_enforcement_config { |
| michael@0 | 59 | pinningDisabled = 0, |
| michael@0 | 60 | pinningAllowUserCAMITM = 1, |
| michael@0 | 61 | pinningStrict = 2, |
| michael@0 | 62 | pinningEnforceTestMode = 3 |
| michael@0 | 63 | }; |
| michael@0 | 64 | |
| michael@0 | 65 | enum missing_cert_download_config { missing_cert_download_off = 0, missing_cert_download_on }; |
| michael@0 | 66 | enum crl_download_config { crl_local_only = 0, crl_download_allowed }; |
| michael@0 | 67 | enum ocsp_download_config { ocsp_off = 0, ocsp_on }; |
| michael@0 | 68 | enum ocsp_strict_config { ocsp_relaxed = 0, ocsp_strict }; |
| michael@0 | 69 | enum ocsp_get_config { ocsp_get_disabled = 0, ocsp_get_enabled = 1 }; |
| michael@0 | 70 | |
| michael@0 | 71 | bool IsOCSPDownloadEnabled() const { return mOCSPDownloadEnabled; } |
| michael@0 | 72 | |
| michael@0 | 73 | CertVerifier(implementation_config ic, |
| michael@0 | 74 | #ifndef NSS_NO_LIBPKIX |
| michael@0 | 75 | missing_cert_download_config ac, crl_download_config cdc, |
| michael@0 | 76 | #endif |
| michael@0 | 77 | ocsp_download_config odc, ocsp_strict_config osc, |
| michael@0 | 78 | ocsp_get_config ogc, |
| michael@0 | 79 | pinning_enforcement_config pinningEnforcementLevel); |
| michael@0 | 80 | ~CertVerifier(); |
| michael@0 | 81 | |
| michael@0 | 82 | void ClearOCSPCache() { mOCSPCache.Clear(); } |
| michael@0 | 83 | |
| michael@0 | 84 | const implementation_config mImplementation; |
| michael@0 | 85 | #ifndef NSS_NO_LIBPKIX |
| michael@0 | 86 | const bool mMissingCertDownloadEnabled; |
| michael@0 | 87 | const bool mCRLDownloadEnabled; |
| michael@0 | 88 | #endif |
| michael@0 | 89 | const bool mOCSPDownloadEnabled; |
| michael@0 | 90 | const bool mOCSPStrict; |
| michael@0 | 91 | const bool mOCSPGETEnabled; |
| michael@0 | 92 | const pinning_enforcement_config mPinningEnforcementLevel; |
| michael@0 | 93 | |
| michael@0 | 94 | private: |
| michael@0 | 95 | SECStatus MozillaPKIXVerifyCert(CERTCertificate* cert, |
| michael@0 | 96 | const SECCertificateUsage usage, |
| michael@0 | 97 | const PRTime time, |
| michael@0 | 98 | void* pinArg, |
| michael@0 | 99 | const Flags flags, |
| michael@0 | 100 | ChainValidationCallbackState* callbackState, |
| michael@0 | 101 | /*optional*/ const SECItem* stapledOCSPResponse, |
| michael@0 | 102 | /*optional out*/ mozilla::pkix::ScopedCERTCertList* validationChain, |
| michael@0 | 103 | /*optional out*/ SECOidTag* evOidPolicy); |
| michael@0 | 104 | |
| michael@0 | 105 | OCSPCache mOCSPCache; |
| michael@0 | 106 | }; |
| michael@0 | 107 | |
| michael@0 | 108 | void InitCertVerifierLog(); |
| michael@0 | 109 | } } // namespace mozilla::psm |
| michael@0 | 110 | |
| michael@0 | 111 | #endif // mozilla_psm__CertVerifier_h |
