gecko-dev/security/certverifier/BRNameMatchingPolicy.h
David Keeler 1fdc1bdd0a bug 1267463 - add a more nuanced subject common name fallback option for prerelease channels r=Cykesiopka,jcj
MozReview-Commit-ID: 1vHXrPAHTRm

--HG--
extra : rebase_source : dddd8ae973d1d793890bbfc44d9fe84ef4a47ee2
2016-04-25 15:55:18 -07:00

60 lines
2.3 KiB
C++
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
/* vim: set ts=8 sts=2 et sw=2 tw=80: */
/* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/. */
#ifndef BRNameMatchingPolicy_h
#define BRNameMatchingPolicy_h
#include "pkix/pkixtypes.h"
namespace mozilla { namespace psm {
// According to the Baseline Requirements version 1.3.3 section 7.1.4.2.2.a,
// the requirements of the subject common name field are as follows:
// "If present, this field MUST contain a single IP address or FullyQualified
// Domain Name that is one of the values contained in the Certificates
// subjectAltName extension". Consequently, since any name information present
// in the common name must be present in the subject alternative name extension,
// when performing name matching, it should not be necessary to fall back to the
// common name. Because this consequence has not commonly been enforced, this
// implementation provides a mechanism to start enforcing it gradually while
// maintaining some backwards compatibility. If configured with the mode
// "EnforceAfter23August2016", name matching will only fall back to using the
// subject common name for certificates where the notBefore field is before 23
// August 2016. Similarly, the mode "EnforceAfter23August2015" is also
// available. This is to provide a balance between allowing preexisting
// long-lived certificates and detecting newly-issued problematic certificates.
// Note that this implementation does not actually directly enforce that if the
// subject common name is present, its value corresponds to a dNSName or
// iPAddress entry in the subject alternative name extension.
class BRNameMatchingPolicy : public mozilla::pkix::NameMatchingPolicy
{
public:
enum class Mode {
DoNotEnforce = 0,
EnforceAfter23August2016 = 1,
EnforceAfter23August2015 = 2,
Enforce = 3,
};
explicit BRNameMatchingPolicy(Mode mode)
: mMode(mode)
{
}
virtual mozilla::pkix::Result FallBackToCommonName(
mozilla::pkix::Time notBefore,
/*out*/ mozilla::pkix::FallBackToSearchWithinSubject& fallBacktoCommonName)
override;
private:
Mode mMode;
};
} } // namespace mozilla::psm
#endif // BRNameMatchingPolicy_h