mirror of
https://github.com/mozilla/gecko-dev.git
synced 2024-11-07 04:05:49 +00:00
a028ea5c2d
--HG-- rename : security/manager/boot/src/CertBlocklist.cpp => security/manager/ssl/CertBlocklist.cpp rename : security/manager/boot/src/CertBlocklist.h => security/manager/ssl/CertBlocklist.h rename : security/manager/boot/src/DataStorage.cpp => security/manager/ssl/DataStorage.cpp rename : security/manager/boot/src/DataStorage.h => security/manager/ssl/DataStorage.h rename : security/manager/boot/src/PublicKeyPinningService.cpp => security/manager/ssl/PublicKeyPinningService.cpp rename : security/manager/boot/src/PublicKeyPinningService.h => security/manager/ssl/PublicKeyPinningService.h rename : security/manager/boot/src/RootCertificateTelemetryUtils.cpp => security/manager/ssl/RootCertificateTelemetryUtils.cpp rename : security/manager/boot/src/RootCertificateTelemetryUtils.h => security/manager/ssl/RootCertificateTelemetryUtils.h rename : security/manager/boot/src/RootHashes.inc => security/manager/ssl/RootHashes.inc rename : security/manager/boot/src/StaticHPKPins.errors => security/manager/ssl/StaticHPKPins.errors rename : security/manager/boot/src/StaticHPKPins.h => security/manager/ssl/StaticHPKPins.h rename : security/manager/boot/src/nsEntropyCollector.cpp => security/manager/ssl/nsEntropyCollector.cpp rename : security/manager/boot/src/nsEntropyCollector.h => security/manager/ssl/nsEntropyCollector.h rename : security/manager/boot/public/nsIBufEntropyCollector.idl => security/manager/ssl/nsIBufEntropyCollector.idl rename : security/manager/boot/public/nsICertBlocklist.idl => security/manager/ssl/nsICertBlocklist.idl rename : security/manager/boot/public/nsISSLStatusProvider.idl => security/manager/ssl/nsISSLStatusProvider.idl rename : security/manager/boot/public/nsISecurityUITelemetry.idl => security/manager/ssl/nsISecurityUITelemetry.idl rename : security/manager/boot/src/nsSTSPreloadList.errors => security/manager/ssl/nsSTSPreloadList.errors rename : security/manager/boot/src/nsSTSPreloadList.inc => security/manager/ssl/nsSTSPreloadList.inc rename : security/manager/boot/src/nsSecureBrowserUIImpl.cpp => security/manager/ssl/nsSecureBrowserUIImpl.cpp rename : security/manager/boot/src/nsSecureBrowserUIImpl.h => security/manager/ssl/nsSecureBrowserUIImpl.h rename : security/manager/boot/src/nsSecurityHeaderParser.cpp => security/manager/ssl/nsSecurityHeaderParser.cpp rename : security/manager/boot/src/nsSecurityHeaderParser.h => security/manager/ssl/nsSecurityHeaderParser.h rename : security/manager/boot/src/nsSiteSecurityService.cpp => security/manager/ssl/nsSiteSecurityService.cpp rename : security/manager/boot/src/nsSiteSecurityService.h => security/manager/ssl/nsSiteSecurityService.h
65 lines
2.4 KiB
C++
65 lines
2.4 KiB
C++
/* This Source Code Form is subject to the terms of the Mozilla Public
|
|
* License, v. 2.0. If a copy of the MPL was not distributed with this
|
|
* file, You can obtain one at http://mozilla.org/MPL/2.0/. */
|
|
|
|
#ifndef PublicKeyPinningService_h
|
|
#define PublicKeyPinningService_h
|
|
|
|
#include "cert.h"
|
|
#include "nsString.h"
|
|
#include "nsTArray.h"
|
|
#include "pkix/Time.h"
|
|
|
|
namespace mozilla {
|
|
namespace psm {
|
|
|
|
class PublicKeyPinningService
|
|
{
|
|
public:
|
|
/**
|
|
* Returns true if the given (host, certList) passes pinning checks,
|
|
* false otherwise. If the host is pinned, return true if one of the keys in
|
|
* the given certificate chain matches the pin set specified by the
|
|
* hostname. If the hostname is null or empty evaluate against all the
|
|
* possible names for the EE cert (Common Name (CN) plus all DNS Name:
|
|
* subject Alt Name entries). The certList's head is the EE cert and the
|
|
* tail is the trust anchor.
|
|
* Note: if an alt name is a wildcard, it won't necessarily find a pinset
|
|
* that would otherwise be valid for it
|
|
*/
|
|
static nsresult ChainHasValidPins(const CERTCertList* certList,
|
|
const char* hostname,
|
|
mozilla::pkix::Time time,
|
|
bool enforceTestMode,
|
|
/*out*/ bool& chainHasValidPins);
|
|
/**
|
|
* Returns true if there is any intersection between the certificate list
|
|
* and the pins specified in the aSHA256key array. Values passed in are
|
|
* assumed to be in base64 encoded form
|
|
*/
|
|
static nsresult ChainMatchesPinset(const CERTCertList* certList,
|
|
const nsTArray<nsCString>& aSHA256keys,
|
|
/*out*/ bool& chainMatchesPinset);
|
|
|
|
/**
|
|
* Returns true via the output parameter hostHasPins if there is pinning
|
|
* information for the given host that is valid at the given time, and false
|
|
* otherwise.
|
|
*/
|
|
static nsresult HostHasPins(const char* hostname,
|
|
mozilla::pkix::Time time,
|
|
bool enforceTestMode,
|
|
/*out*/ bool& hostHasPins);
|
|
|
|
/**
|
|
* Given a hostname of potentially mixed case with potentially multiple
|
|
* trailing '.' (see bug 1118522), canonicalizes it to lowercase with no
|
|
* trailing '.'.
|
|
*/
|
|
static nsAutoCString CanonicalizeHostname(const char* hostname);
|
|
};
|
|
|
|
}} // namespace mozilla::psm
|
|
|
|
#endif // PublicKeyPinningServiceService_h
|