security/certverifier/CertVerifier.h@7e26c7da4463
security/certverifier/CertVerifier.h
Wed, 31 Dec 2014 06:55:50 +0100
- author
- Michael Schloh von Bennewitz <michael@schloh.com>
- date
- Wed, 31 Dec 2014 06:55:50 +0100
- changeset 2
- 7e26c7da4463
- permissions
- -rw-r--r--
Added tag UPSTREAM_283F7C6 for changeset ca08bd8f51b2
1 /* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
2 /* vim: set ts=8 sts=2 et sw=2 tw=80: */
3 /* This Source Code Form is subject to the terms of the Mozilla Public
4 * License, v. 2.0. If a copy of the MPL was not distributed with this
5 * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
7 #ifndef mozilla_psm__CertVerifier_h
8 #define mozilla_psm__CertVerifier_h
10 #include "pkix/pkixtypes.h"
11 #include "OCSPCache.h"
13 namespace mozilla { namespace psm {
15 struct ChainValidationCallbackState;
17 class CertVerifier
18 {
19 public:
20 typedef unsigned int Flags;
21 // XXX: FLAG_LOCAL_ONLY is ignored in the classic verification case
22 static const Flags FLAG_LOCAL_ONLY;
23 // Don't perform fallback DV validation on EV validation failure.
24 static const Flags FLAG_MUST_BE_EV;
26 // *evOidPolicy == SEC_OID_UNKNOWN means the cert is NOT EV
27 // Only one usage per verification is supported.
28 SECStatus VerifyCert(CERTCertificate* cert,
29 const SECCertificateUsage usage,
30 const PRTime time,
31 void* pinArg,
32 const char* hostname,
33 const Flags flags = 0,
34 /*optional in*/ const SECItem* stapledOCSPResponse = nullptr,
35 /*optional out*/ mozilla::pkix::ScopedCERTCertList* validationChain = nullptr,
36 /*optional out*/ SECOidTag* evOidPolicy = nullptr ,
37 /*optional out*/ CERTVerifyLog* verifyLog = nullptr);
39 SECStatus VerifySSLServerCert(
40 CERTCertificate* peerCert,
41 /*optional*/ const SECItem* stapledOCSPResponse,
42 PRTime time,
43 /*optional*/ void* pinarg,
44 const char* hostname,
45 bool saveIntermediatesInPermanentDatabase = false,
46 /*optional out*/ mozilla::pkix::ScopedCERTCertList* certChainOut = nullptr,
47 /*optional out*/ SECOidTag* evOidPolicy = nullptr);
50 enum implementation_config {
51 classic = 0,
52 #ifndef NSS_NO_LIBPKIX
53 libpkix = 1,
54 #endif
55 mozillapkix = 2
56 };
58 enum pinning_enforcement_config {
59 pinningDisabled = 0,
60 pinningAllowUserCAMITM = 1,
61 pinningStrict = 2,
62 pinningEnforceTestMode = 3
63 };
65 enum missing_cert_download_config { missing_cert_download_off = 0, missing_cert_download_on };
66 enum crl_download_config { crl_local_only = 0, crl_download_allowed };
67 enum ocsp_download_config { ocsp_off = 0, ocsp_on };
68 enum ocsp_strict_config { ocsp_relaxed = 0, ocsp_strict };
69 enum ocsp_get_config { ocsp_get_disabled = 0, ocsp_get_enabled = 1 };
71 bool IsOCSPDownloadEnabled() const { return mOCSPDownloadEnabled; }
73 CertVerifier(implementation_config ic,
74 #ifndef NSS_NO_LIBPKIX
75 missing_cert_download_config ac, crl_download_config cdc,
76 #endif
77 ocsp_download_config odc, ocsp_strict_config osc,
78 ocsp_get_config ogc,
79 pinning_enforcement_config pinningEnforcementLevel);
80 ~CertVerifier();
82 void ClearOCSPCache() { mOCSPCache.Clear(); }
84 const implementation_config mImplementation;
85 #ifndef NSS_NO_LIBPKIX
86 const bool mMissingCertDownloadEnabled;
87 const bool mCRLDownloadEnabled;
88 #endif
89 const bool mOCSPDownloadEnabled;
90 const bool mOCSPStrict;
91 const bool mOCSPGETEnabled;
92 const pinning_enforcement_config mPinningEnforcementLevel;
94 private:
95 SECStatus MozillaPKIXVerifyCert(CERTCertificate* cert,
96 const SECCertificateUsage usage,
97 const PRTime time,
98 void* pinArg,
99 const Flags flags,
100 ChainValidationCallbackState* callbackState,
101 /*optional*/ const SECItem* stapledOCSPResponse,
102 /*optional out*/ mozilla::pkix::ScopedCERTCertList* validationChain,
103 /*optional out*/ SECOidTag* evOidPolicy);
105 OCSPCache mOCSPCache;
106 };
108 void InitCertVerifierLog();
109 } } // namespace mozilla::psm
111 #endif // mozilla_psm__CertVerifier_h
