mirror of
https://github.com/classilla/tenfourfox.git
synced 2024-07-02 21:29:43 +00:00
67 lines
2.5 KiB
C
67 lines
2.5 KiB
C
|
/* This Source Code Form is subject to the terms of the Mozilla Public
|
||
|
* License, v. 2.0. If a copy of the MPL was not distributed with this
|
||
|
* file, You can obtain one at http://mozilla.org/MPL/2.0/. */
|
||
|
|
||
|
#ifndef PublicKeyPinningService_h
|
||
|
#define PublicKeyPinningService_h
|
||
|
|
||
|
#include "cert.h"
|
||
|
#include "CertVerifier.h"
|
||
|
#include "nsString.h"
|
||
|
#include "nsTArray.h"
|
||
|
#include "pkix/Time.h"
|
||
|
|
||
|
namespace mozilla {
|
||
|
namespace psm {
|
||
|
|
||
|
class PublicKeyPinningService
|
||
|
{
|
||
|
public:
|
||
|
/**
|
||
|
* Returns true if the given (host, certList) passes pinning checks,
|
||
|
* false otherwise. If the host is pinned, return true if one of the keys in
|
||
|
* the given certificate chain matches the pin set specified by the
|
||
|
* hostname. If the hostname is null or empty evaluate against all the
|
||
|
* possible names for the EE cert (Common Name (CN) plus all DNS Name:
|
||
|
* subject Alt Name entries). The certList's head is the EE cert and the
|
||
|
* tail is the trust anchor.
|
||
|
* Note: if an alt name is a wildcard, it won't necessarily find a pinset
|
||
|
* that would otherwise be valid for it
|
||
|
*/
|
||
|
static nsresult ChainHasValidPins(const CERTCertList* certList,
|
||
|
const char* hostname,
|
||
|
mozilla::pkix::Time time,
|
||
|
bool enforceTestMode,
|
||
|
/*out*/ bool& chainHasValidPins,
|
||
|
/*optional out*/ PinningTelemetryInfo* pinningTelemetryInfo);
|
||
|
/**
|
||
|
* Returns true if there is any intersection between the certificate list
|
||
|
* and the pins specified in the aSHA256key array. Values passed in are
|
||
|
* assumed to be in base64 encoded form
|
||
|
*/
|
||
|
static nsresult ChainMatchesPinset(const CERTCertList* certList,
|
||
|
const nsTArray<nsCString>& aSHA256keys,
|
||
|
/*out*/ bool& chainMatchesPinset);
|
||
|
|
||
|
/**
|
||
|
* Returns true via the output parameter hostHasPins if there is pinning
|
||
|
* information for the given host that is valid at the given time, and false
|
||
|
* otherwise.
|
||
|
*/
|
||
|
static nsresult HostHasPins(const char* hostname,
|
||
|
mozilla::pkix::Time time,
|
||
|
bool enforceTestMode,
|
||
|
/*out*/ bool& hostHasPins);
|
||
|
|
||
|
/**
|
||
|
* Given a hostname of potentially mixed case with potentially multiple
|
||
|
* trailing '.' (see bug 1118522), canonicalizes it to lowercase with no
|
||
|
* trailing '.'.
|
||
|
*/
|
||
|
static nsAutoCString CanonicalizeHostname(const char* hostname);
|
||
|
};
|
||
|
|
||
|
}} // namespace mozilla::psm
|
||
|
|
||
|
#endif // PublicKeyPinningServiceService_h
|