michael@0: /* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */ michael@0: /* vim: set ts=8 sts=2 et sw=2 tw=80: */ michael@0: /* This Source Code Form is subject to the terms of the Mozilla Public michael@0: * License, v. 2.0. If a copy of the MPL was not distributed with this michael@0: * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ michael@0: michael@0: #ifndef mozilla_psm__CertVerifier_h michael@0: #define mozilla_psm__CertVerifier_h michael@0: michael@0: #include "pkix/pkixtypes.h" michael@0: #include "OCSPCache.h" michael@0: michael@0: namespace mozilla { namespace psm { michael@0: michael@0: struct ChainValidationCallbackState; michael@0: michael@0: class CertVerifier michael@0: { michael@0: public: michael@0: typedef unsigned int Flags; michael@0: // XXX: FLAG_LOCAL_ONLY is ignored in the classic verification case michael@0: static const Flags FLAG_LOCAL_ONLY; michael@0: // Don't perform fallback DV validation on EV validation failure. michael@0: static const Flags FLAG_MUST_BE_EV; michael@0: michael@0: // *evOidPolicy == SEC_OID_UNKNOWN means the cert is NOT EV michael@0: // Only one usage per verification is supported. michael@0: SECStatus VerifyCert(CERTCertificate* cert, michael@0: const SECCertificateUsage usage, michael@0: const PRTime time, michael@0: void* pinArg, michael@0: const char* hostname, michael@0: const Flags flags = 0, michael@0: /*optional in*/ const SECItem* stapledOCSPResponse = nullptr, michael@0: /*optional out*/ mozilla::pkix::ScopedCERTCertList* validationChain = nullptr, michael@0: /*optional out*/ SECOidTag* evOidPolicy = nullptr , michael@0: /*optional out*/ CERTVerifyLog* verifyLog = nullptr); michael@0: michael@0: SECStatus VerifySSLServerCert( michael@0: CERTCertificate* peerCert, michael@0: /*optional*/ const SECItem* stapledOCSPResponse, michael@0: PRTime time, michael@0: /*optional*/ void* pinarg, michael@0: const char* hostname, michael@0: bool saveIntermediatesInPermanentDatabase = false, michael@0: /*optional out*/ mozilla::pkix::ScopedCERTCertList* certChainOut = nullptr, michael@0: /*optional out*/ SECOidTag* evOidPolicy = nullptr); michael@0: michael@0: michael@0: enum implementation_config { michael@0: classic = 0, michael@0: #ifndef NSS_NO_LIBPKIX michael@0: libpkix = 1, michael@0: #endif michael@0: mozillapkix = 2 michael@0: }; michael@0: michael@0: enum pinning_enforcement_config { michael@0: pinningDisabled = 0, michael@0: pinningAllowUserCAMITM = 1, michael@0: pinningStrict = 2, michael@0: pinningEnforceTestMode = 3 michael@0: }; michael@0: michael@0: enum missing_cert_download_config { missing_cert_download_off = 0, missing_cert_download_on }; michael@0: enum crl_download_config { crl_local_only = 0, crl_download_allowed }; michael@0: enum ocsp_download_config { ocsp_off = 0, ocsp_on }; michael@0: enum ocsp_strict_config { ocsp_relaxed = 0, ocsp_strict }; michael@0: enum ocsp_get_config { ocsp_get_disabled = 0, ocsp_get_enabled = 1 }; michael@0: michael@0: bool IsOCSPDownloadEnabled() const { return mOCSPDownloadEnabled; } michael@0: michael@0: CertVerifier(implementation_config ic, michael@0: #ifndef NSS_NO_LIBPKIX michael@0: missing_cert_download_config ac, crl_download_config cdc, michael@0: #endif michael@0: ocsp_download_config odc, ocsp_strict_config osc, michael@0: ocsp_get_config ogc, michael@0: pinning_enforcement_config pinningEnforcementLevel); michael@0: ~CertVerifier(); michael@0: michael@0: void ClearOCSPCache() { mOCSPCache.Clear(); } michael@0: michael@0: const implementation_config mImplementation; michael@0: #ifndef NSS_NO_LIBPKIX michael@0: const bool mMissingCertDownloadEnabled; michael@0: const bool mCRLDownloadEnabled; michael@0: #endif michael@0: const bool mOCSPDownloadEnabled; michael@0: const bool mOCSPStrict; michael@0: const bool mOCSPGETEnabled; michael@0: const pinning_enforcement_config mPinningEnforcementLevel; michael@0: michael@0: private: michael@0: SECStatus MozillaPKIXVerifyCert(CERTCertificate* cert, michael@0: const SECCertificateUsage usage, michael@0: const PRTime time, michael@0: void* pinArg, michael@0: const Flags flags, michael@0: ChainValidationCallbackState* callbackState, michael@0: /*optional*/ const SECItem* stapledOCSPResponse, michael@0: /*optional out*/ mozilla::pkix::ScopedCERTCertList* validationChain, michael@0: /*optional out*/ SECOidTag* evOidPolicy); michael@0: michael@0: OCSPCache mOCSPCache; michael@0: }; michael@0: michael@0: void InitCertVerifierLog(); michael@0: } } // namespace mozilla::psm michael@0: michael@0: #endif // mozilla_psm__CertVerifier_h