The Tor Browser / file comparison
comparison: security/certverifier/OCSPCache.h
security/certverifier/OCSPCache.h
- changeset 0
- 6474c204b198
equal
deleted
inserted
replaced
| -1:000000000000 | 0:4076ed163405 |
|---|---|
| 1 /* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */ | |
| 2 /* vim: set ts=8 sts=2 et sw=2 tw=80: */ | |
| 3 /* Copyright 2013 Mozilla Foundation | |
| 4 * | |
| 5 * Licensed under the Apache License, Version 2.0 (the "License"); | |
| 6 * you may not use this file except in compliance with the License. | |
| 7 * You may obtain a copy of the License at | |
| 8 * | |
| 9 * http://www.apache.org/licenses/LICENSE-2.0 | |
| 10 * | |
| 11 * Unless required by applicable law or agreed to in writing, software | |
| 12 * distributed under the License is distributed on an "AS IS" BASIS, | |
| 13 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. | |
| 14 * See the License for the specific language governing permissions and | |
| 15 * limitations under the License. | |
| 16 */ | |
| 17 | |
| 18 #ifndef mozilla_psm_OCSPCache_h | |
| 19 #define mozilla_psm_OCSPCache_h | |
| 20 | |
| 21 #include "certt.h" | |
| 22 #include "hasht.h" | |
| 23 #include "pkix/pkixtypes.h" | |
| 24 #include "mozilla/Mutex.h" | |
| 25 #include "mozilla/Vector.h" | |
| 26 #include "prerror.h" | |
| 27 | |
| 28 namespace mozilla { namespace psm { | |
| 29 | |
| 30 // make SHA384Buffer be of type "array of uint8_t of length SHA384_LENGTH" | |
| 31 typedef uint8_t SHA384Buffer[SHA384_LENGTH]; | |
| 32 | |
| 33 // OCSPCache can store and retrieve OCSP response verification results. Each | |
| 34 // result is keyed on the certificate that purportedly corresponds to it (where | |
| 35 // certificates are distinguished based on serial number, issuer, and | |
| 36 // issuer public key, much like in an encoded OCSP response itself). A maximum | |
| 37 // of 1024 distinct entries can be stored. | |
| 38 // OCSPCache is thread-safe. | |
| 39 class OCSPCache | |
| 40 { | |
| 41 public: | |
| 42 OCSPCache(); | |
| 43 ~OCSPCache(); | |
| 44 | |
| 45 // Returns true if the status of the given certificate (issued by the given | |
| 46 // issuer) is in the cache, and false otherwise. | |
| 47 // If it is in the cache, returns by reference the error code of the cached | |
| 48 // status and the time through which the status is considered trustworthy. | |
| 49 bool Get(const CERTCertificate* aCert, const CERTCertificate* aIssuerCert, | |
| 50 /* out */ PRErrorCode& aErrorCode, /* out */ PRTime& aValidThrough); | |
| 51 | |
| 52 // Caches the status of the given certificate (issued by the given issuer). | |
| 53 // The status is considered trustworthy through the given time. | |
| 54 // A status with an error code of SEC_ERROR_REVOKED_CERTIFICATE will not | |
| 55 // be replaced or evicted. | |
| 56 // A status with an error code of SEC_ERROR_OCSP_UNKNOWN_CERT will not | |
| 57 // be evicted when the cache is full. | |
| 58 // A status with a more recent thisUpdate will not be replaced with a | |
| 59 // status with a less recent thisUpdate unless the less recent status | |
| 60 // indicates the certificate is revoked. | |
| 61 SECStatus Put(const CERTCertificate* aCert, | |
| 62 const CERTCertificate* aIssuerCert, | |
| 63 PRErrorCode aErrorCode, | |
| 64 PRTime aThisUpdate, | |
| 65 PRTime aValidThrough); | |
| 66 | |
| 67 // Removes everything from the cache. | |
| 68 void Clear(); | |
| 69 | |
| 70 private: | |
| 71 class Entry | |
| 72 { | |
| 73 public: | |
| 74 SECStatus Init(const CERTCertificate* aCert, | |
| 75 const CERTCertificate* aIssuerCert, | |
| 76 PRErrorCode aErrorCode, PRTime aThisUpdate, | |
| 77 PRTime aValidThrough); | |
| 78 | |
| 79 PRErrorCode mErrorCode; | |
| 80 PRTime mThisUpdate; | |
| 81 PRTime mValidThrough; | |
| 82 // The SHA-384 hash of the concatenation of the DER encodings of the | |
| 83 // issuer name and issuer key, followed by the serial number. | |
| 84 // See the documentation for CertIDHash in OCSPCache.cpp. | |
| 85 SHA384Buffer mIDHash; | |
| 86 }; | |
| 87 | |
| 88 int32_t FindInternal(const CERTCertificate* aCert, | |
| 89 const CERTCertificate* aIssuerCert, | |
| 90 const MutexAutoLock& aProofOfLock); | |
| 91 void MakeMostRecentlyUsed(size_t aIndex, const MutexAutoLock& aProofOfLock); | |
| 92 void LogWithCerts(const char* aMessage, const CERTCertificate* aCert, | |
| 93 const CERTCertificate* aIssuerCert); | |
| 94 | |
| 95 Mutex mMutex; | |
| 96 static const size_t MaxEntries = 1024; | |
| 97 // Sorted with the most-recently-used entry at the end. | |
| 98 // Using 256 here reserves as much possible inline storage as the vector | |
| 99 // implementation will give us. 1024 bytes is the maximum it allows, | |
| 100 // which results in 256 Entry pointers or 128 Entry pointers, depending | |
| 101 // on the size of a pointer. | |
| 102 Vector<Entry*, 256> mEntries; | |
| 103 }; | |
| 104 | |
| 105 } } // namespace mozilla::psm | |
| 106 | |
| 107 #endif // mozilla_psm_OCSPCache_h |
