security/certverifier/NSSCertDBTrustDomain.h@7e26c7da4463
security/certverifier/NSSCertDBTrustDomain.h
Wed, 31 Dec 2014 06:55:50 +0100
- author
- Michael Schloh von Bennewitz <michael@schloh.com>
- date
- Wed, 31 Dec 2014 06:55:50 +0100
- changeset 2
- 7e26c7da4463
- permissions
- -rw-r--r--
Added tag UPSTREAM_283F7C6 for changeset ca08bd8f51b2
1 /* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
2 /* vim: set ts=8 sts=2 et sw=2 tw=80: */
3 /* This Source Code Form is subject to the terms of the Mozilla Public
4 * License, v. 2.0. If a copy of the MPL was not distributed with this
5 * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
7 #ifndef mozilla_psm__NSSCertDBTrustDomain_h
8 #define mozilla_psm__NSSCertDBTrustDomain_h
10 #include "pkix/pkixtypes.h"
11 #include "secmodt.h"
12 #include "CertVerifier.h"
14 namespace mozilla { namespace psm {
16 SECStatus InitializeNSS(const char* dir, bool readOnly);
18 void DisableMD5();
20 extern const char BUILTIN_ROOTS_MODULE_DEFAULT_NAME[];
22 void PORT_Free_string(char* str);
24 // The dir parameter is the path to the directory containing the NSS builtin
25 // roots module. Usually this is the same as the path to the other NSS shared
26 // libraries. If it is null then the (library) path will be searched.
27 //
28 // The modNameUTF8 parameter should usually be
29 // BUILTIN_ROOTS_MODULE_DEFAULT_NAME.
30 SECStatus LoadLoadableRoots(/*optional*/ const char* dir,
31 const char* modNameUTF8);
33 void UnloadLoadableRoots(const char* modNameUTF8);
35 // Controls the OCSP fetching behavior of the classic verification mode. In the
36 // classic mode, the OCSP fetching behavior is set globally instead of per
37 // validation.
38 void
39 SetClassicOCSPBehavior(CertVerifier::ocsp_download_config enabled,
40 CertVerifier::ocsp_strict_config strict,
41 CertVerifier::ocsp_get_config get);
43 // Caller must free the result with PR_Free
44 char* DefaultServerNicknameForCert(CERTCertificate* cert);
46 void SaveIntermediateCerts(const mozilla::pkix::ScopedCERTCertList& certList);
48 class NSSCertDBTrustDomain : public mozilla::pkix::TrustDomain
49 {
51 public:
52 enum OCSPFetching {
53 NeverFetchOCSP = 0,
54 FetchOCSPForDVSoftFail = 1,
55 FetchOCSPForDVHardFail = 2,
56 FetchOCSPForEV = 3,
57 LocalOnlyOCSPForEV = 4,
58 };
59 NSSCertDBTrustDomain(SECTrustType certDBTrustType, OCSPFetching ocspFetching,
60 OCSPCache& ocspCache, void* pinArg,
61 CERTChainVerifyCallback* checkChainCallback = nullptr);
63 virtual SECStatus FindPotentialIssuers(
64 const SECItem* encodedIssuerName,
65 PRTime time,
66 /*out*/ mozilla::pkix::ScopedCERTCertList& results);
68 virtual SECStatus GetCertTrust(mozilla::pkix::EndEntityOrCA endEntityOrCA,
69 SECOidTag policy,
70 const CERTCertificate* candidateCert,
71 /*out*/ TrustLevel* trustLevel);
73 virtual SECStatus VerifySignedData(const CERTSignedData* signedData,
74 const CERTCertificate* cert);
76 virtual SECStatus CheckRevocation(mozilla::pkix::EndEntityOrCA endEntityOrCA,
77 const CERTCertificate* cert,
78 /*const*/ CERTCertificate* issuerCert,
79 PRTime time,
80 /*optional*/ const SECItem* stapledOCSPResponse);
82 virtual SECStatus IsChainValid(const CERTCertList* certChain);
84 private:
85 enum EncodedResponseSource {
86 ResponseIsFromNetwork = 1,
87 ResponseWasStapled = 2
88 };
89 static const PRTime ServerFailureDelay = 5 * 60 * PR_USEC_PER_SEC;
90 SECStatus VerifyAndMaybeCacheEncodedOCSPResponse(
91 const CERTCertificate* cert, CERTCertificate* issuerCert, PRTime time,
92 uint16_t maxLifetimeInDays, const SECItem* encodedResponse,
93 EncodedResponseSource responseSource, /*out*/ bool& expired);
95 const SECTrustType mCertDBTrustType;
96 const OCSPFetching mOCSPFetching;
97 OCSPCache& mOCSPCache; // non-owning!
98 void* mPinArg; // non-owning!
99 CERTChainVerifyCallback* mCheckChainCallback; // non-owning!
100 };
102 } } // namespace mozilla::psm
104 #endif // mozilla_psm__NSSCertDBTrustDomain_h
