michael@0: /* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */ michael@0: /* vim: set ts=8 sts=2 et sw=2 tw=80: */ michael@0: /* This Source Code Form is subject to the terms of the Mozilla Public michael@0: * License, v. 2.0. If a copy of the MPL was not distributed with this michael@0: * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ michael@0: michael@0: #ifndef mozilla_psm__NSSCertDBTrustDomain_h michael@0: #define mozilla_psm__NSSCertDBTrustDomain_h michael@0: michael@0: #include "pkix/pkixtypes.h" michael@0: #include "secmodt.h" michael@0: #include "CertVerifier.h" michael@0: michael@0: namespace mozilla { namespace psm { michael@0: michael@0: SECStatus InitializeNSS(const char* dir, bool readOnly); michael@0: michael@0: void DisableMD5(); michael@0: michael@0: extern const char BUILTIN_ROOTS_MODULE_DEFAULT_NAME[]; michael@0: michael@0: void PORT_Free_string(char* str); michael@0: michael@0: // The dir parameter is the path to the directory containing the NSS builtin michael@0: // roots module. Usually this is the same as the path to the other NSS shared michael@0: // libraries. If it is null then the (library) path will be searched. michael@0: // michael@0: // The modNameUTF8 parameter should usually be michael@0: // BUILTIN_ROOTS_MODULE_DEFAULT_NAME. michael@0: SECStatus LoadLoadableRoots(/*optional*/ const char* dir, michael@0: const char* modNameUTF8); michael@0: michael@0: void UnloadLoadableRoots(const char* modNameUTF8); michael@0: michael@0: // Controls the OCSP fetching behavior of the classic verification mode. In the michael@0: // classic mode, the OCSP fetching behavior is set globally instead of per michael@0: // validation. michael@0: void michael@0: SetClassicOCSPBehavior(CertVerifier::ocsp_download_config enabled, michael@0: CertVerifier::ocsp_strict_config strict, michael@0: CertVerifier::ocsp_get_config get); michael@0: michael@0: // Caller must free the result with PR_Free michael@0: char* DefaultServerNicknameForCert(CERTCertificate* cert); michael@0: michael@0: void SaveIntermediateCerts(const mozilla::pkix::ScopedCERTCertList& certList); michael@0: michael@0: class NSSCertDBTrustDomain : public mozilla::pkix::TrustDomain michael@0: { michael@0: michael@0: public: michael@0: enum OCSPFetching { michael@0: NeverFetchOCSP = 0, michael@0: FetchOCSPForDVSoftFail = 1, michael@0: FetchOCSPForDVHardFail = 2, michael@0: FetchOCSPForEV = 3, michael@0: LocalOnlyOCSPForEV = 4, michael@0: }; michael@0: NSSCertDBTrustDomain(SECTrustType certDBTrustType, OCSPFetching ocspFetching, michael@0: OCSPCache& ocspCache, void* pinArg, michael@0: CERTChainVerifyCallback* checkChainCallback = nullptr); michael@0: michael@0: virtual SECStatus FindPotentialIssuers( michael@0: const SECItem* encodedIssuerName, michael@0: PRTime time, michael@0: /*out*/ mozilla::pkix::ScopedCERTCertList& results); michael@0: michael@0: virtual SECStatus GetCertTrust(mozilla::pkix::EndEntityOrCA endEntityOrCA, michael@0: SECOidTag policy, michael@0: const CERTCertificate* candidateCert, michael@0: /*out*/ TrustLevel* trustLevel); michael@0: michael@0: virtual SECStatus VerifySignedData(const CERTSignedData* signedData, michael@0: const CERTCertificate* cert); michael@0: michael@0: virtual SECStatus CheckRevocation(mozilla::pkix::EndEntityOrCA endEntityOrCA, michael@0: const CERTCertificate* cert, michael@0: /*const*/ CERTCertificate* issuerCert, michael@0: PRTime time, michael@0: /*optional*/ const SECItem* stapledOCSPResponse); michael@0: michael@0: virtual SECStatus IsChainValid(const CERTCertList* certChain); michael@0: michael@0: private: michael@0: enum EncodedResponseSource { michael@0: ResponseIsFromNetwork = 1, michael@0: ResponseWasStapled = 2 michael@0: }; michael@0: static const PRTime ServerFailureDelay = 5 * 60 * PR_USEC_PER_SEC; michael@0: SECStatus VerifyAndMaybeCacheEncodedOCSPResponse( michael@0: const CERTCertificate* cert, CERTCertificate* issuerCert, PRTime time, michael@0: uint16_t maxLifetimeInDays, const SECItem* encodedResponse, michael@0: EncodedResponseSource responseSource, /*out*/ bool& expired); michael@0: michael@0: const SECTrustType mCertDBTrustType; michael@0: const OCSPFetching mOCSPFetching; michael@0: OCSPCache& mOCSPCache; // non-owning! michael@0: void* mPinArg; // non-owning! michael@0: CERTChainVerifyCallback* mCheckChainCallback; // non-owning! michael@0: }; michael@0: michael@0: } } // namespace mozilla::psm michael@0: michael@0: #endif // mozilla_psm__NSSCertDBTrustDomain_h