The Tor Browser / file diff

diff: security/certverifier/CertVerifier.h

security/certverifier/CertVerifier.h

changeset 0
6474c204b198
     1.1 --- /dev/null	Thu Jan 01 00:00:00 1970 +0000
     1.2 +++ b/security/certverifier/CertVerifier.h	Wed Dec 31 06:09:35 2014 +0100
     1.3 @@ -0,0 +1,111 @@
     1.4 +/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
     1.5 +/* vim: set ts=8 sts=2 et sw=2 tw=80: */
     1.6 +/* This Source Code Form is subject to the terms of the Mozilla Public
     1.7 + * License, v. 2.0. If a copy of the MPL was not distributed with this
     1.8 + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
     1.9 +
    1.10 +#ifndef mozilla_psm__CertVerifier_h
    1.11 +#define mozilla_psm__CertVerifier_h
    1.12 +
    1.13 +#include "pkix/pkixtypes.h"
    1.14 +#include "OCSPCache.h"
    1.15 +
    1.16 +namespace mozilla { namespace psm {
    1.17 +
    1.18 +struct ChainValidationCallbackState;
    1.19 +
    1.20 +class CertVerifier
    1.21 +{
    1.22 +public:
    1.23 +  typedef unsigned int Flags;
    1.24 +  // XXX: FLAG_LOCAL_ONLY is ignored in the classic verification case
    1.25 +  static const Flags FLAG_LOCAL_ONLY;
    1.26 +  // Don't perform fallback DV validation on EV validation failure.
    1.27 +  static const Flags FLAG_MUST_BE_EV;
    1.28 +
    1.29 +  // *evOidPolicy == SEC_OID_UNKNOWN means the cert is NOT EV
    1.30 +  // Only one usage per verification is supported.
    1.31 +  SECStatus VerifyCert(CERTCertificate* cert,
    1.32 +                       const SECCertificateUsage usage,
    1.33 +                       const PRTime time,
    1.34 +                       void* pinArg,
    1.35 +                       const char* hostname,
    1.36 +                       const Flags flags = 0,
    1.37 +       /*optional in*/ const SECItem* stapledOCSPResponse = nullptr,
    1.38 +      /*optional out*/ mozilla::pkix::ScopedCERTCertList* validationChain = nullptr,
    1.39 +      /*optional out*/ SECOidTag* evOidPolicy = nullptr ,
    1.40 +      /*optional out*/ CERTVerifyLog* verifyLog = nullptr);
    1.41 +
    1.42 +  SECStatus VerifySSLServerCert(
    1.43 +                    CERTCertificate* peerCert,
    1.44 +       /*optional*/ const SECItem* stapledOCSPResponse,
    1.45 +                    PRTime time,
    1.46 +       /*optional*/ void* pinarg,
    1.47 +                    const char* hostname,
    1.48 +                    bool saveIntermediatesInPermanentDatabase = false,
    1.49 +   /*optional out*/ mozilla::pkix::ScopedCERTCertList* certChainOut = nullptr,
    1.50 +   /*optional out*/ SECOidTag* evOidPolicy = nullptr);
    1.51 +
    1.52 +
    1.53 +  enum implementation_config {
    1.54 +    classic = 0,
    1.55 +#ifndef NSS_NO_LIBPKIX
    1.56 +    libpkix = 1,
    1.57 +#endif
    1.58 +    mozillapkix = 2
    1.59 +  };
    1.60 +
    1.61 +  enum pinning_enforcement_config {
    1.62 +    pinningDisabled = 0,
    1.63 +    pinningAllowUserCAMITM = 1,
    1.64 +    pinningStrict = 2,
    1.65 +    pinningEnforceTestMode = 3
    1.66 +  };
    1.67 +
    1.68 +  enum missing_cert_download_config { missing_cert_download_off = 0, missing_cert_download_on };
    1.69 +  enum crl_download_config { crl_local_only = 0, crl_download_allowed };
    1.70 +  enum ocsp_download_config { ocsp_off = 0, ocsp_on };
    1.71 +  enum ocsp_strict_config { ocsp_relaxed = 0, ocsp_strict };
    1.72 +  enum ocsp_get_config { ocsp_get_disabled = 0, ocsp_get_enabled = 1 };
    1.73 +
    1.74 +  bool IsOCSPDownloadEnabled() const { return mOCSPDownloadEnabled; }
    1.75 +
    1.76 +  CertVerifier(implementation_config ic,
    1.77 +#ifndef NSS_NO_LIBPKIX
    1.78 +               missing_cert_download_config ac, crl_download_config cdc,
    1.79 +#endif
    1.80 +               ocsp_download_config odc, ocsp_strict_config osc,
    1.81 +               ocsp_get_config ogc,
    1.82 +               pinning_enforcement_config pinningEnforcementLevel);
    1.83 +  ~CertVerifier();
    1.84 +
    1.85 +  void ClearOCSPCache() { mOCSPCache.Clear(); }
    1.86 +
    1.87 +  const implementation_config mImplementation;
    1.88 +#ifndef NSS_NO_LIBPKIX
    1.89 +  const bool mMissingCertDownloadEnabled;
    1.90 +  const bool mCRLDownloadEnabled;
    1.91 +#endif
    1.92 +  const bool mOCSPDownloadEnabled;
    1.93 +  const bool mOCSPStrict;
    1.94 +  const bool mOCSPGETEnabled;
    1.95 +  const pinning_enforcement_config mPinningEnforcementLevel;
    1.96 +
    1.97 +private:
    1.98 +  SECStatus MozillaPKIXVerifyCert(CERTCertificate* cert,
    1.99 +      const SECCertificateUsage usage,
   1.100 +      const PRTime time,
   1.101 +      void* pinArg,
   1.102 +      const Flags flags,
   1.103 +      ChainValidationCallbackState* callbackState,
   1.104 +      /*optional*/ const SECItem* stapledOCSPResponse,
   1.105 +      /*optional out*/ mozilla::pkix::ScopedCERTCertList* validationChain,
   1.106 +      /*optional out*/ SECOidTag* evOidPolicy);
   1.107 +
   1.108 +  OCSPCache mOCSPCache;
   1.109 +};
   1.110 +
   1.111 +void InitCertVerifierLog();
   1.112 +} } // namespace mozilla::psm
   1.113 +
   1.114 +#endif // mozilla_psm__CertVerifier_h

Mercurial Repository: The Tor Browser

Europalab SCM Repository Server

mercurial