security/certverifier/NSSCertDBTrustDomain.h

changeset 0
6474c204b198
     1.1 --- /dev/null	Thu Jan 01 00:00:00 1970 +0000
     1.2 +++ b/security/certverifier/NSSCertDBTrustDomain.h	Wed Dec 31 06:09:35 2014 +0100
     1.3 @@ -0,0 +1,104 @@
     1.4 +/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
     1.5 +/* vim: set ts=8 sts=2 et sw=2 tw=80: */
     1.6 +/* This Source Code Form is subject to the terms of the Mozilla Public
     1.7 + * License, v. 2.0. If a copy of the MPL was not distributed with this
     1.8 + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
     1.9 +
    1.10 +#ifndef mozilla_psm__NSSCertDBTrustDomain_h
    1.11 +#define mozilla_psm__NSSCertDBTrustDomain_h
    1.12 +
    1.13 +#include "pkix/pkixtypes.h"
    1.14 +#include "secmodt.h"
    1.15 +#include "CertVerifier.h"
    1.16 +
    1.17 +namespace mozilla { namespace psm {
    1.18 +
    1.19 +SECStatus InitializeNSS(const char* dir, bool readOnly);
    1.20 +
    1.21 +void DisableMD5();
    1.22 +
    1.23 +extern const char BUILTIN_ROOTS_MODULE_DEFAULT_NAME[];
    1.24 +
    1.25 +void PORT_Free_string(char* str);
    1.26 +
    1.27 +// The dir parameter is the path to the directory containing the NSS builtin
    1.28 +// roots module. Usually this is the same as the path to the other NSS shared
    1.29 +// libraries. If it is null then the (library) path will be searched.
    1.30 +//
    1.31 +// The modNameUTF8 parameter should usually be
    1.32 +// BUILTIN_ROOTS_MODULE_DEFAULT_NAME.
    1.33 +SECStatus LoadLoadableRoots(/*optional*/ const char* dir,
    1.34 +                            const char* modNameUTF8);
    1.35 +
    1.36 +void UnloadLoadableRoots(const char* modNameUTF8);
    1.37 +
    1.38 +// Controls the OCSP fetching behavior of the classic verification mode. In the
    1.39 +// classic mode, the OCSP fetching behavior is set globally instead of per
    1.40 +// validation.
    1.41 +void
    1.42 +SetClassicOCSPBehavior(CertVerifier::ocsp_download_config enabled,
    1.43 +                       CertVerifier::ocsp_strict_config strict,
    1.44 +                       CertVerifier::ocsp_get_config get);
    1.45 +
    1.46 +// Caller must free the result with PR_Free
    1.47 +char* DefaultServerNicknameForCert(CERTCertificate* cert);
    1.48 +
    1.49 +void SaveIntermediateCerts(const mozilla::pkix::ScopedCERTCertList& certList);
    1.50 +
    1.51 +class NSSCertDBTrustDomain : public mozilla::pkix::TrustDomain
    1.52 +{
    1.53 +
    1.54 +public:
    1.55 +  enum OCSPFetching {
    1.56 +    NeverFetchOCSP = 0,
    1.57 +    FetchOCSPForDVSoftFail = 1,
    1.58 +    FetchOCSPForDVHardFail = 2,
    1.59 +    FetchOCSPForEV = 3,
    1.60 +    LocalOnlyOCSPForEV = 4,
    1.61 +  };
    1.62 +  NSSCertDBTrustDomain(SECTrustType certDBTrustType, OCSPFetching ocspFetching,
    1.63 +                       OCSPCache& ocspCache, void* pinArg,
    1.64 +                       CERTChainVerifyCallback* checkChainCallback = nullptr);
    1.65 +
    1.66 +  virtual SECStatus FindPotentialIssuers(
    1.67 +                        const SECItem* encodedIssuerName,
    1.68 +                        PRTime time,
    1.69 +                /*out*/ mozilla::pkix::ScopedCERTCertList& results);
    1.70 +
    1.71 +  virtual SECStatus GetCertTrust(mozilla::pkix::EndEntityOrCA endEntityOrCA,
    1.72 +                                 SECOidTag policy,
    1.73 +                                 const CERTCertificate* candidateCert,
    1.74 +                         /*out*/ TrustLevel* trustLevel);
    1.75 +
    1.76 +  virtual SECStatus VerifySignedData(const CERTSignedData* signedData,
    1.77 +                                     const CERTCertificate* cert);
    1.78 +
    1.79 +  virtual SECStatus CheckRevocation(mozilla::pkix::EndEntityOrCA endEntityOrCA,
    1.80 +                                    const CERTCertificate* cert,
    1.81 +                          /*const*/ CERTCertificate* issuerCert,
    1.82 +                                    PRTime time,
    1.83 +                       /*optional*/ const SECItem* stapledOCSPResponse);
    1.84 +
    1.85 +  virtual SECStatus IsChainValid(const CERTCertList* certChain);
    1.86 +
    1.87 +private:
    1.88 +  enum EncodedResponseSource {
    1.89 +    ResponseIsFromNetwork = 1,
    1.90 +    ResponseWasStapled = 2
    1.91 +  };
    1.92 +  static const PRTime ServerFailureDelay = 5 * 60 * PR_USEC_PER_SEC;
    1.93 +  SECStatus VerifyAndMaybeCacheEncodedOCSPResponse(
    1.94 +    const CERTCertificate* cert, CERTCertificate* issuerCert, PRTime time,
    1.95 +    uint16_t maxLifetimeInDays, const SECItem* encodedResponse,
    1.96 +    EncodedResponseSource responseSource, /*out*/ bool& expired);
    1.97 +
    1.98 +  const SECTrustType mCertDBTrustType;
    1.99 +  const OCSPFetching mOCSPFetching;
   1.100 +  OCSPCache& mOCSPCache; // non-owning!
   1.101 +  void* mPinArg; // non-owning!
   1.102 +  CERTChainVerifyCallback* mCheckChainCallback; // non-owning!
   1.103 +};
   1.104 +
   1.105 +} } // namespace mozilla::psm
   1.106 +
   1.107 +#endif // mozilla_psm__NSSCertDBTrustDomain_h

mercurial