2012-05-31 09:33:35 +00:00
|
|
|
/* This Source Code Form is subject to the terms of the Mozilla Public
|
|
|
|
|
* License, v. 2.0. If a copy of the MPL was not distributed with this
|
|
|
|
|
* file, You can obtain one at http://mozilla.org/MPL/2.0/. */
|
2010-06-03 21:03:17 +00:00
|
|
|
|
2013-08-02 22:48:37 +00:00
|
|
|
#ifndef __nsSiteSecurityService_h__
|
|
|
|
|
#define __nsSiteSecurityService_h__
|
2010-06-03 21:03:17 +00:00
|
|
|
|
2014-09-04 17:42:31 +00:00
|
|
|
#include "mozilla/DataStorage.h"
|
2010-06-03 21:03:17 +00:00
|
|
|
#include "nsCOMPtr.h"
|
2014-09-04 17:42:31 +00:00
|
|
|
#include "nsIObserver.h"
|
|
|
|
|
#include "nsISiteSecurityService.h"
|
2010-06-03 21:03:17 +00:00
|
|
|
#include "nsString.h"
|
2014-09-12 21:59:37 +00:00
|
|
|
#include "nsTArray.h"
|
|
|
|
|
#include "pkix/pkixtypes.h"
|
2013-07-03 15:56:26 +00:00
|
|
|
#include "prtime.h"
|
2010-06-03 21:03:17 +00:00
|
|
|
|
2014-09-04 17:42:31 +00:00
|
|
|
class nsIURI;
|
2014-09-03 17:24:12 +00:00
|
|
|
class nsISSLStatus;
|
2014-09-04 17:42:31 +00:00
|
|
|
|
2010-06-03 21:03:17 +00:00
|
|
|
// {16955eee-6c48-4152-9309-c42a465138a1}
|
2013-08-02 22:48:37 +00:00
|
|
|
#define NS_SITE_SECURITY_SERVICE_CID \
|
2010-06-03 21:03:17 +00:00
|
|
|
{0x16955eee, 0x6c48, 0x4152, \
|
|
|
|
|
{0x93, 0x09, 0xc4, 0x2a, 0x46, 0x51, 0x38, 0xa1} }
|
|
|
|
|
|
2014-09-04 17:42:31 +00:00
|
|
|
/**
|
|
|
|
|
* SecurityPropertyState: A utility enum for representing the different states
|
|
|
|
|
* a security property can be in.
|
|
|
|
|
* SecurityPropertySet and SecurityPropertyUnset correspond to indicating
|
|
|
|
|
* a site has or does not have the security property in question, respectively.
|
|
|
|
|
* SecurityPropertyKnockout indicates a value on a preloaded list is being
|
|
|
|
|
* overridden, and the associated site does not have the security property
|
|
|
|
|
* in question.
|
|
|
|
|
*/
|
|
|
|
|
enum SecurityPropertyState {
|
|
|
|
|
SecurityPropertyUnset = 0,
|
|
|
|
|
SecurityPropertySet = 1,
|
|
|
|
|
SecurityPropertyKnockout = 2
|
|
|
|
|
};
|
2010-10-06 17:07:39 +00:00
|
|
|
|
2014-09-04 17:42:31 +00:00
|
|
|
/**
|
2014-09-12 21:59:37 +00:00
|
|
|
* SiteHPKPState: A utility class that encodes/decodes a string describing
|
|
|
|
|
* the public key pins of a site.
|
|
|
|
|
* HPKP state consists of:
|
|
|
|
|
* - Expiry time (PRTime (aka int64_t) in milliseconds)
|
|
|
|
|
* - A state flag (SecurityPropertyState, default SecurityPropertyUnset)
|
|
|
|
|
* - An include subdomains flag (bool, default false)
|
|
|
|
|
* - An array of sha-256 hashed base 64 encoded fingerprints of required keys
|
|
|
|
|
*/
|
|
|
|
|
class SiteHPKPState
|
|
|
|
|
{
|
|
|
|
|
public:
|
|
|
|
|
SiteHPKPState();
|
2014-09-23 13:13:26 +00:00
|
|
|
explicit SiteHPKPState(nsCString& aStateString);
|
2014-09-12 21:59:37 +00:00
|
|
|
SiteHPKPState(PRTime aExpireTime, SecurityPropertyState aState,
|
|
|
|
|
bool aIncludeSubdomains, nsTArray<nsCString>& SHA256keys);
|
|
|
|
|
|
|
|
|
|
PRTime mExpireTime;
|
|
|
|
|
SecurityPropertyState mState;
|
|
|
|
|
bool mIncludeSubdomains;
|
|
|
|
|
nsTArray<nsCString> mSHA256keys;
|
|
|
|
|
|
|
|
|
|
bool IsExpired(mozilla::pkix::Time aTime)
|
|
|
|
|
{
|
|
|
|
|
if (aTime > mozilla::pkix::TimeFromEpochInSeconds(mExpireTime /
|
|
|
|
|
PR_MSEC_PER_SEC)) {
|
|
|
|
|
return true;
|
|
|
|
|
}
|
|
|
|
|
return false;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
void ToString(nsCString& aString);
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* SiteHSTSState: A utility class that encodes/decodes a string describing
|
2014-09-04 17:42:31 +00:00
|
|
|
* the security state of a site. Currently only handles HSTS.
|
|
|
|
|
* HSTS state consists of:
|
|
|
|
|
* - Expiry time (PRTime (aka int64_t) in milliseconds)
|
|
|
|
|
* - A state flag (SecurityPropertyState, default SecurityPropertyUnset)
|
|
|
|
|
* - An include subdomains flag (bool, default false)
|
|
|
|
|
*/
|
2014-09-12 21:59:37 +00:00
|
|
|
class SiteHSTSState
|
2014-09-04 17:42:31 +00:00
|
|
|
{
|
|
|
|
|
public:
|
2014-09-23 13:13:26 +00:00
|
|
|
explicit SiteHSTSState(nsCString& aStateString);
|
2014-09-12 21:59:37 +00:00
|
|
|
SiteHSTSState(PRTime aHSTSExpireTime, SecurityPropertyState aHSTSState,
|
|
|
|
|
bool aHSTSIncludeSubdomains);
|
2014-09-04 17:42:31 +00:00
|
|
|
|
|
|
|
|
PRTime mHSTSExpireTime;
|
|
|
|
|
SecurityPropertyState mHSTSState;
|
|
|
|
|
bool mHSTSIncludeSubdomains;
|
|
|
|
|
|
|
|
|
|
bool IsExpired(uint32_t aType)
|
|
|
|
|
{
|
|
|
|
|
// If mHSTSExpireTime is 0, this entry never expires (this is the case for
|
|
|
|
|
// knockout entries).
|
|
|
|
|
if (mHSTSExpireTime == 0) {
|
|
|
|
|
return false;
|
2010-10-06 17:07:39 +00:00
|
|
|
}
|
|
|
|
|
|
2014-09-04 17:42:31 +00:00
|
|
|
PRTime now = PR_Now() / PR_USEC_PER_MSEC;
|
|
|
|
|
if (now > mHSTSExpireTime) {
|
|
|
|
|
return true;
|
2012-08-24 21:17:27 +00:00
|
|
|
}
|
|
|
|
|
|
2014-09-04 17:42:31 +00:00
|
|
|
return false;
|
|
|
|
|
}
|
2012-08-24 21:17:27 +00:00
|
|
|
|
2014-09-04 17:42:31 +00:00
|
|
|
void ToString(nsCString &aString);
|
2010-10-06 17:07:39 +00:00
|
|
|
};
|
|
|
|
|
|
2012-08-24 21:17:27 +00:00
|
|
|
class nsSTSPreload;
|
|
|
|
|
|
2013-08-02 22:48:37 +00:00
|
|
|
class nsSiteSecurityService : public nsISiteSecurityService
|
|
|
|
|
, public nsIObserver
|
2010-06-03 21:03:17 +00:00
|
|
|
{
|
|
|
|
|
public:
|
2013-07-19 02:24:14 +00:00
|
|
|
NS_DECL_THREADSAFE_ISUPPORTS
|
2010-10-06 17:07:39 +00:00
|
|
|
NS_DECL_NSIOBSERVER
|
2013-08-02 22:48:37 +00:00
|
|
|
NS_DECL_NSISITESECURITYSERVICE
|
2010-06-03 21:03:17 +00:00
|
|
|
|
2013-08-02 22:48:37 +00:00
|
|
|
nsSiteSecurityService();
|
2010-06-03 21:03:17 +00:00
|
|
|
nsresult Init();
|
2014-06-23 22:40:03 +00:00
|
|
|
|
|
|
|
|
protected:
|
2013-08-02 22:48:37 +00:00
|
|
|
virtual ~nsSiteSecurityService();
|
2010-06-03 21:03:17 +00:00
|
|
|
|
|
|
|
|
private:
|
|
|
|
|
nsresult GetHost(nsIURI *aURI, nsACString &aResult);
|
2014-09-12 21:59:37 +00:00
|
|
|
nsresult SetHSTSState(uint32_t aType, nsIURI* aSourceURI, int64_t maxage,
|
|
|
|
|
bool includeSubdomains, uint32_t flags);
|
2014-09-03 17:24:12 +00:00
|
|
|
nsresult ProcessHeaderInternal(uint32_t aType, nsIURI* aSourceURI,
|
|
|
|
|
const char* aHeader, nsISSLStatus* aSSLStatus,
|
|
|
|
|
uint32_t aFlags, uint64_t* aMaxAge,
|
2015-08-05 05:51:00 +00:00
|
|
|
bool* aIncludeSubdomains,
|
|
|
|
|
uint32_t* aFailureResult);
|
2014-09-03 17:24:12 +00:00
|
|
|
nsresult ProcessSTSHeader(nsIURI* aSourceURI, const char* aHeader,
|
|
|
|
|
uint32_t flags, uint64_t* aMaxAge,
|
2015-08-05 05:51:00 +00:00
|
|
|
bool* aIncludeSubdomains, uint32_t* aFailureResult);
|
2014-09-03 17:24:12 +00:00
|
|
|
nsresult ProcessPKPHeader(nsIURI* aSourceURI, const char* aHeader,
|
|
|
|
|
nsISSLStatus* aSSLStatus, uint32_t flags,
|
2015-08-05 05:51:00 +00:00
|
|
|
uint64_t* aMaxAge, bool* aIncludeSubdomains,
|
|
|
|
|
uint32_t* aFailureResult);
|
2014-09-03 17:24:12 +00:00
|
|
|
nsresult SetHPKPState(const char* aHost, SiteHPKPState& entry, uint32_t flags);
|
|
|
|
|
|
2012-08-24 21:17:27 +00:00
|
|
|
const nsSTSPreload *GetPreloadListEntry(const char *aHost);
|
2010-10-06 17:07:39 +00:00
|
|
|
|
2012-10-15 21:43:57 +00:00
|
|
|
bool mUsePreloadList;
|
2014-09-04 17:42:31 +00:00
|
|
|
int64_t mPreloadListTimeOffset;
|
2014-09-03 17:24:12 +00:00
|
|
|
bool mProcessPKPHeadersFromNonBuiltInRoots;
|
2014-09-04 17:42:31 +00:00
|
|
|
nsRefPtr<mozilla::DataStorage> mSiteStateStorage;
|
2010-06-03 21:03:17 +00:00
|
|
|
};
|
|
|
|
|
|
2013-08-02 22:48:37 +00:00
|
|
|
#endif // __nsSiteSecurityService_h__
|
