1.1 --- /dev/null Thu Jan 01 00:00:00 1970 +0000 1.2 +++ b/security/certverifier/NSSCertDBTrustDomain.h Wed Dec 31 06:09:35 2014 +0100 1.3 @@ -0,0 +1,104 @@ 1.4 +/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */ 1.5 +/* vim: set ts=8 sts=2 et sw=2 tw=80: */ 1.6 +/* This Source Code Form is subject to the terms of the Mozilla Public 1.7 + * License, v. 2.0. If a copy of the MPL was not distributed with this 1.8 + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ 1.9 + 1.10 +#ifndef mozilla_psm__NSSCertDBTrustDomain_h 1.11 +#define mozilla_psm__NSSCertDBTrustDomain_h 1.12 + 1.13 +#include "pkix/pkixtypes.h" 1.14 +#include "secmodt.h" 1.15 +#include "CertVerifier.h" 1.16 + 1.17 +namespace mozilla { namespace psm { 1.18 + 1.19 +SECStatus InitializeNSS(const char* dir, bool readOnly); 1.20 + 1.21 +void DisableMD5(); 1.22 + 1.23 +extern const char BUILTIN_ROOTS_MODULE_DEFAULT_NAME[]; 1.24 + 1.25 +void PORT_Free_string(char* str); 1.26 + 1.27 +// The dir parameter is the path to the directory containing the NSS builtin 1.28 +// roots module. Usually this is the same as the path to the other NSS shared 1.29 +// libraries. If it is null then the (library) path will be searched. 1.30 +// 1.31 +// The modNameUTF8 parameter should usually be 1.32 +// BUILTIN_ROOTS_MODULE_DEFAULT_NAME. 1.33 +SECStatus LoadLoadableRoots(/*optional*/ const char* dir, 1.34 + const char* modNameUTF8); 1.35 + 1.36 +void UnloadLoadableRoots(const char* modNameUTF8); 1.37 + 1.38 +// Controls the OCSP fetching behavior of the classic verification mode. In the 1.39 +// classic mode, the OCSP fetching behavior is set globally instead of per 1.40 +// validation. 1.41 +void 1.42 +SetClassicOCSPBehavior(CertVerifier::ocsp_download_config enabled, 1.43 + CertVerifier::ocsp_strict_config strict, 1.44 + CertVerifier::ocsp_get_config get); 1.45 + 1.46 +// Caller must free the result with PR_Free 1.47 +char* DefaultServerNicknameForCert(CERTCertificate* cert); 1.48 + 1.49 +void SaveIntermediateCerts(const mozilla::pkix::ScopedCERTCertList& certList); 1.50 + 1.51 +class NSSCertDBTrustDomain : public mozilla::pkix::TrustDomain 1.52 +{ 1.53 + 1.54 +public: 1.55 + enum OCSPFetching { 1.56 + NeverFetchOCSP = 0, 1.57 + FetchOCSPForDVSoftFail = 1, 1.58 + FetchOCSPForDVHardFail = 2, 1.59 + FetchOCSPForEV = 3, 1.60 + LocalOnlyOCSPForEV = 4, 1.61 + }; 1.62 + NSSCertDBTrustDomain(SECTrustType certDBTrustType, OCSPFetching ocspFetching, 1.63 + OCSPCache& ocspCache, void* pinArg, 1.64 + CERTChainVerifyCallback* checkChainCallback = nullptr); 1.65 + 1.66 + virtual SECStatus FindPotentialIssuers( 1.67 + const SECItem* encodedIssuerName, 1.68 + PRTime time, 1.69 + /*out*/ mozilla::pkix::ScopedCERTCertList& results); 1.70 + 1.71 + virtual SECStatus GetCertTrust(mozilla::pkix::EndEntityOrCA endEntityOrCA, 1.72 + SECOidTag policy, 1.73 + const CERTCertificate* candidateCert, 1.74 + /*out*/ TrustLevel* trustLevel); 1.75 + 1.76 + virtual SECStatus VerifySignedData(const CERTSignedData* signedData, 1.77 + const CERTCertificate* cert); 1.78 + 1.79 + virtual SECStatus CheckRevocation(mozilla::pkix::EndEntityOrCA endEntityOrCA, 1.80 + const CERTCertificate* cert, 1.81 + /*const*/ CERTCertificate* issuerCert, 1.82 + PRTime time, 1.83 + /*optional*/ const SECItem* stapledOCSPResponse); 1.84 + 1.85 + virtual SECStatus IsChainValid(const CERTCertList* certChain); 1.86 + 1.87 +private: 1.88 + enum EncodedResponseSource { 1.89 + ResponseIsFromNetwork = 1, 1.90 + ResponseWasStapled = 2 1.91 + }; 1.92 + static const PRTime ServerFailureDelay = 5 * 60 * PR_USEC_PER_SEC; 1.93 + SECStatus VerifyAndMaybeCacheEncodedOCSPResponse( 1.94 + const CERTCertificate* cert, CERTCertificate* issuerCert, PRTime time, 1.95 + uint16_t maxLifetimeInDays, const SECItem* encodedResponse, 1.96 + EncodedResponseSource responseSource, /*out*/ bool& expired); 1.97 + 1.98 + const SECTrustType mCertDBTrustType; 1.99 + const OCSPFetching mOCSPFetching; 1.100 + OCSPCache& mOCSPCache; // non-owning! 1.101 + void* mPinArg; // non-owning! 1.102 + CERTChainVerifyCallback* mCheckChainCallback; // non-owning! 1.103 +}; 1.104 + 1.105 +} } // namespace mozilla::psm 1.106 + 1.107 +#endif // mozilla_psm__NSSCertDBTrustDomain_h