mirror of
https://github.com/mozilla/gecko-dev.git
synced 2024-11-06 09:05:45 +00:00
b1405bc489
--HG-- rename : security/insanity/include/insanity/ScopedPtr.h => security/pkix/include/pkix/ScopedPtr.h rename : security/insanity/include/insanity/bind.h => security/pkix/include/pkix/bind.h rename : security/insanity/include/insanity/nullptr.h => security/pkix/include/pkix/nullptr.h rename : security/insanity/include/insanity/pkix.h => security/pkix/include/pkix/pkix.h rename : security/insanity/include/insanity/pkixtypes.h => security/pkix/include/pkix/pkixtypes.h rename : security/insanity/lib/pkixbind.cpp => security/pkix/lib/pkixbind.cpp rename : security/insanity/lib/pkixbuild.cpp => security/pkix/lib/pkixbuild.cpp rename : security/insanity/lib/pkixcheck.cpp => security/pkix/lib/pkixcheck.cpp rename : security/insanity/lib/pkixcheck.h => security/pkix/lib/pkixcheck.h rename : security/insanity/lib/pkixder.cpp => security/pkix/lib/pkixder.cpp rename : security/insanity/lib/pkixder.h => security/pkix/lib/pkixder.h rename : security/insanity/lib/pkixkey.cpp => security/pkix/lib/pkixkey.cpp rename : security/insanity/lib/pkixocsp.cpp => security/pkix/lib/pkixocsp.cpp rename : security/insanity/lib/pkixutil.h => security/pkix/lib/pkixutil.h rename : security/insanity/moz.build => security/pkix/moz.build rename : security/insanity/test/lib/moz.build => security/pkix/test/lib/moz.build rename : security/insanity/test/lib/pkixtestutil.cpp => security/pkix/test/lib/pkixtestutil.cpp rename : security/insanity/test/lib/pkixtestutil.h => security/pkix/test/lib/pkixtestutil.h
108 lines
4.1 KiB
C++
108 lines
4.1 KiB
C++
/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
|
|
/* vim: set ts=8 sts=2 et sw=2 tw=80: */
|
|
/* Copyright 2013 Mozilla Foundation
|
|
*
|
|
* Licensed under the Apache License, Version 2.0 (the "License");
|
|
* you may not use this file except in compliance with the License.
|
|
* You may obtain a copy of the License at
|
|
*
|
|
* http://www.apache.org/licenses/LICENSE-2.0
|
|
*
|
|
* Unless required by applicable law or agreed to in writing, software
|
|
* distributed under the License is distributed on an "AS IS" BASIS,
|
|
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
* See the License for the specific language governing permissions and
|
|
* limitations under the License.
|
|
*/
|
|
|
|
#ifndef mozilla_psm_OCSPCache_h
|
|
#define mozilla_psm_OCSPCache_h
|
|
|
|
#include "certt.h"
|
|
#include "hasht.h"
|
|
#include "pkix/pkixtypes.h"
|
|
#include "mozilla/Mutex.h"
|
|
#include "mozilla/Vector.h"
|
|
#include "prerror.h"
|
|
|
|
namespace mozilla { namespace psm {
|
|
|
|
// make SHA384Buffer be of type "array of uint8_t of length SHA384_LENGTH"
|
|
typedef uint8_t SHA384Buffer[SHA384_LENGTH];
|
|
|
|
// OCSPCache can store and retrieve OCSP response verification results. Each
|
|
// result is keyed on the certificate that purportedly corresponds to it (where
|
|
// certificates are distinguished based on serial number, issuer, and
|
|
// issuer public key, much like in an encoded OCSP response itself). A maximum
|
|
// of 1024 distinct entries can be stored.
|
|
// OCSPCache is thread-safe.
|
|
class OCSPCache
|
|
{
|
|
public:
|
|
OCSPCache();
|
|
~OCSPCache();
|
|
|
|
// Returns true if the status of the given certificate (issued by the given
|
|
// issuer) is in the cache, and false otherwise.
|
|
// If it is in the cache, returns by reference the error code of the cached
|
|
// status and the time through which the status is considered trustworthy.
|
|
bool Get(const CERTCertificate* aCert, const CERTCertificate* aIssuerCert,
|
|
/* out */ PRErrorCode& aErrorCode, /* out */ PRTime& aValidThrough);
|
|
|
|
// Caches the status of the given certificate (issued by the given issuer).
|
|
// The status is considered trustworthy through the given time.
|
|
// A status with an error code of SEC_ERROR_REVOKED_CERTIFICATE will not
|
|
// be replaced or evicted.
|
|
// A status with an error code of SEC_ERROR_OCSP_UNKNOWN_CERT will not
|
|
// be evicted when the cache is full.
|
|
// A status with a more recent thisUpdate will not be replaced with a
|
|
// status with a less recent thisUpdate unless the less recent status
|
|
// indicates the certificate is revoked.
|
|
SECStatus Put(const CERTCertificate* aCert,
|
|
const CERTCertificate* aIssuerCert,
|
|
PRErrorCode aErrorCode,
|
|
PRTime aThisUpdate,
|
|
PRTime aValidThrough);
|
|
|
|
// Removes everything from the cache.
|
|
void Clear();
|
|
|
|
private:
|
|
class Entry
|
|
{
|
|
public:
|
|
SECStatus Init(const CERTCertificate* aCert,
|
|
const CERTCertificate* aIssuerCert,
|
|
PRErrorCode aErrorCode, PRTime aThisUpdate,
|
|
PRTime aValidThrough);
|
|
|
|
PRErrorCode mErrorCode;
|
|
PRTime mThisUpdate;
|
|
PRTime mValidThrough;
|
|
// The SHA-384 hash of the concatenation of the DER encodings of the
|
|
// issuer name and issuer key, followed by the serial number.
|
|
// See the documentation for CertIDHash in OCSPCache.cpp.
|
|
SHA384Buffer mIDHash;
|
|
};
|
|
|
|
int32_t FindInternal(const CERTCertificate* aCert,
|
|
const CERTCertificate* aIssuerCert,
|
|
const MutexAutoLock& aProofOfLock);
|
|
void MakeMostRecentlyUsed(size_t aIndex, const MutexAutoLock& aProofOfLock);
|
|
void LogWithCerts(const char* aMessage, const CERTCertificate* aCert,
|
|
const CERTCertificate* aIssuerCert);
|
|
|
|
Mutex mMutex;
|
|
static const size_t MaxEntries = 1024;
|
|
// Sorted with the most-recently-used entry at the end.
|
|
// Using 256 here reserves as much possible inline storage as the vector
|
|
// implementation will give us. 1024 bytes is the maximum it allows,
|
|
// which results in 256 Entry pointers or 128 Entry pointers, depending
|
|
// on the size of a pointer.
|
|
Vector<Entry*, 256> mEntries;
|
|
};
|
|
|
|
} } // namespace mozilla::psm
|
|
|
|
#endif // mozilla_psm_OCSPCache_h
|