mirror of
https://github.com/mozilla/gecko-dev.git
synced 2024-11-02 15:15:23 +00:00
128f004a1f
ScopedCERTCertList is based on Scoped.h, which is deprecated in favour of the standardised UniquePtr. Also changes CERTCertList parameters of various functions to make ownership more explicit. MozReview-Commit-ID: EXqxTK6inqy --HG-- extra : transplant_source : %9B%A9a%94%D1%7E%2BTa%9E%9Fu%9F%02%B3%1AT%1B%F1%F6
66 lines
2.5 KiB
C++
66 lines
2.5 KiB
C++
/* This Source Code Form is subject to the terms of the Mozilla Public
|
|
* License, v. 2.0. If a copy of the MPL was not distributed with this
|
|
* file, You can obtain one at http://mozilla.org/MPL/2.0/. */
|
|
|
|
#ifndef PublicKeyPinningService_h
|
|
#define PublicKeyPinningService_h
|
|
|
|
#include "CertVerifier.h"
|
|
#include "ScopedNSSTypes.h"
|
|
#include "cert.h"
|
|
#include "nsString.h"
|
|
#include "nsTArray.h"
|
|
#include "pkix/Time.h"
|
|
|
|
namespace mozilla {
|
|
namespace psm {
|
|
|
|
class PublicKeyPinningService
|
|
{
|
|
public:
|
|
/**
|
|
* Sets chainHasValidPins to true if the given (host, certList) passes pinning
|
|
* checks, or to false otherwise. If the host is pinned, returns true via
|
|
* chainHasValidPins if one of the keys in the given certificate chain matches
|
|
* the pin set specified by the hostname. The certList's head is the EE cert
|
|
* and the tail is the trust anchor.
|
|
* Note: if an alt name is a wildcard, it won't necessarily find a pinset
|
|
* that would otherwise be valid for it
|
|
*/
|
|
static nsresult ChainHasValidPins(const UniqueCERTCertList& certList,
|
|
const char* hostname,
|
|
mozilla::pkix::Time time,
|
|
bool enforceTestMode,
|
|
/*out*/ bool& chainHasValidPins,
|
|
/*optional out*/ PinningTelemetryInfo* pinningTelemetryInfo);
|
|
/**
|
|
* Sets chainMatchesPinset to true if there is any intersection between the
|
|
* certificate list and the pins specified in the aSHA256keys array.
|
|
* Values passed in are assumed to be in base64 encoded form.
|
|
*/
|
|
static nsresult ChainMatchesPinset(const UniqueCERTCertList& certList,
|
|
const nsTArray<nsCString>& aSHA256keys,
|
|
/*out*/ bool& chainMatchesPinset);
|
|
|
|
/**
|
|
* Returns true via the output parameter hostHasPins if there is pinning
|
|
* information for the given host that is valid at the given time, and false
|
|
* otherwise.
|
|
*/
|
|
static nsresult HostHasPins(const char* hostname,
|
|
mozilla::pkix::Time time,
|
|
bool enforceTestMode,
|
|
/*out*/ bool& hostHasPins);
|
|
|
|
/**
|
|
* Given a hostname of potentially mixed case with potentially multiple
|
|
* trailing '.' (see bug 1118522), canonicalizes it to lowercase with no
|
|
* trailing '.'.
|
|
*/
|
|
static nsAutoCString CanonicalizeHostname(const char* hostname);
|
|
};
|
|
|
|
}} // namespace mozilla::psm
|
|
|
|
#endif // PublicKeyPinningService_h
|