mirror of
https://github.com/classilla/tenfourfox.git
synced 2024-09-23 03:59:44 +00:00
161 lines
7.7 KiB
C++
161 lines
7.7 KiB
C++
/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
|
|
/* vim: set ts=8 sts=2 et sw=2 tw=80: */
|
|
/* This code is made available to you under your choice of the following sets
|
|
* of licensing terms:
|
|
*/
|
|
/* This Source Code Form is subject to the terms of the Mozilla Public
|
|
* License, v. 2.0. If a copy of the MPL was not distributed with this
|
|
* file, You can obtain one at http://mozilla.org/MPL/2.0/.
|
|
*/
|
|
/* Copyright 2013 Mozilla Contributors
|
|
*
|
|
* Licensed under the Apache License, Version 2.0 (the "License");
|
|
* you may not use this file except in compliance with the License.
|
|
* You may obtain a copy of the License at
|
|
*
|
|
* http://www.apache.org/licenses/LICENSE-2.0
|
|
*
|
|
* Unless required by applicable law or agreed to in writing, software
|
|
* distributed under the License is distributed on an "AS IS" BASIS,
|
|
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
* See the License for the specific language governing permissions and
|
|
* limitations under the License.
|
|
*/
|
|
|
|
#ifndef mozilla_pkix_pkix_h
|
|
#define mozilla_pkix_pkix_h
|
|
|
|
#include "pkixtypes.h"
|
|
|
|
namespace mozilla { namespace pkix {
|
|
|
|
// ----------------------------------------------------------------------------
|
|
// LIMITED SUPPORT FOR CERTIFICATE POLICIES
|
|
//
|
|
// If SEC_OID_X509_ANY_POLICY is passed as the value of the requiredPolicy
|
|
// parameter then all policy validation will be skipped. Otherwise, path
|
|
// building and validation will be done for the given policy.
|
|
//
|
|
// In RFC 5280 terms:
|
|
//
|
|
// * user-initial-policy-set = { requiredPolicy }.
|
|
// * initial-explicit-policy = true
|
|
// * initial-any-policy-inhibit = false
|
|
//
|
|
// We allow intermediate cerificates to use this extension but since
|
|
// we do not process the inhibit anyPolicy extesion we will fail if this
|
|
// extension is present. TODO(bug 989051)
|
|
// Because we force explicit policy and because we prohibit policy mapping, we
|
|
// do not bother processing the policy mapping, or policy constraint.
|
|
//
|
|
// ----------------------------------------------------------------------------
|
|
// ERROR RANKING
|
|
//
|
|
// BuildCertChain prioritizes certain checks ahead of others so that when a
|
|
// certificate chain has multiple errors, the "most serious" error is
|
|
// returned. In practice, this ranking of seriousness is tied directly to how
|
|
// Firefox's certificate error override mechanism.
|
|
//
|
|
// The ranking is:
|
|
//
|
|
// 1. Active distrust (Result::ERROR_UNTRUSTED_CERT).
|
|
// 2. Problems with issuer-independent properties for CA certificates.
|
|
// 3. Unknown issuer (Result::ERROR_UNKNOWN_ISSUER).
|
|
// 4. Problems with issuer-independent properties for EE certificates.
|
|
// 5. Revocation.
|
|
//
|
|
// In particular, if BuildCertChain returns Result::ERROR_UNKNOWN_ISSUER then
|
|
// the caller can call CERT_CheckCertValidTimes to determine if the certificate
|
|
// is ALSO expired.
|
|
//
|
|
// It would be better if revocation were prioritized above expiration and
|
|
// unknown issuer. However, it is impossible to do revocation checking without
|
|
// knowing the issuer, since the issuer information is needed to validate the
|
|
// revocation information. Also, generally revocation checking only works
|
|
// during the validity period of the certificate.
|
|
//
|
|
// In general, when path building fails, BuildCertChain will return
|
|
// Result::ERROR_UNKNOWN_ISSUER. However, if all attempted paths resulted in
|
|
// the same error (which is trivially true when there is only one potential
|
|
// path), more specific errors will be returned.
|
|
//
|
|
// ----------------------------------------------------------------------------
|
|
// Meanings of specific error codes can be found in Result.h
|
|
|
|
// This function attempts to find a trustworthy path from the supplied
|
|
// certificate to a trust anchor. In the event that no trusted path is found,
|
|
// the method returns an error result; the error ranking is described above.
|
|
//
|
|
// Parameters:
|
|
// time:
|
|
// Timestamp for which the chain should be valid; this is useful to
|
|
// analyze whether a record was trustworthy when it was made.
|
|
// requiredKeyUsageIfPresent:
|
|
// What key usage bits must be set, if the extension is present at all,
|
|
// to be considered a valid chain. Multiple values should be OR'd
|
|
// together. If you don't want to specify anything, use
|
|
// KeyUsage::noParticularKeyUsageRequired.
|
|
// requiredEKUIfPresent:
|
|
// What extended key usage bits must be set, if the EKU extension
|
|
// exists, to be considered a valid chain. Multiple values should be
|
|
// OR'd together. If you don't want to specify anything, use
|
|
// KeyPurposeId::anyExtendedKeyUsage.
|
|
// requiredPolicy:
|
|
// This is the policy to apply; typically included in EV certificates.
|
|
// If there is no policy, pass in CertPolicyId::anyPolicy.
|
|
Result BuildCertChain(TrustDomain& trustDomain, Input cert,
|
|
Time time, EndEntityOrCA endEntityOrCA,
|
|
KeyUsage requiredKeyUsageIfPresent,
|
|
KeyPurposeId requiredEKUIfPresent,
|
|
const CertPolicyId& requiredPolicy,
|
|
/*optional*/ const Input* stapledOCSPResponse);
|
|
|
|
// Verify that the given end-entity cert, which is assumed to have been already
|
|
// validated with BuildCertChain, is valid for the given hostname. The matching
|
|
// function attempts to implement RFC 6125 with a couple of differences:
|
|
// - IP addresses are out of scope of RFC 6125, but this method accepts them for
|
|
// backward compatibility (see SearchNames in pkixnames.cpp)
|
|
// - A wildcard in a DNS-ID may only appear as the entirety of the first label.
|
|
Result CheckCertHostname(Input cert, Input hostname);
|
|
|
|
// Construct an RFC-6960-encoded OCSP request, ready for submission to a
|
|
// responder, for the provided CertID. The request has no extensions.
|
|
static const size_t OCSP_REQUEST_MAX_LENGTH = 127;
|
|
Result CreateEncodedOCSPRequest(TrustDomain& trustDomain,
|
|
const CertID& certID,
|
|
/*out*/ uint8_t (&out)[OCSP_REQUEST_MAX_LENGTH],
|
|
/*out*/ size_t& outLen);
|
|
|
|
// The out parameter expired will be true if the response has expired. If the
|
|
// response also indicates a revoked or unknown certificate, that error
|
|
// will be returned. Otherwise, Result::ERROR_OCSP_OLD_RESPONSE will be
|
|
// returned for an expired response.
|
|
//
|
|
// The optional parameter thisUpdate will be the thisUpdate value of
|
|
// the encoded response if it is considered trustworthy. Only
|
|
// good, unknown, or revoked responses that verify correctly are considered
|
|
// trustworthy. If the response is not trustworthy, thisUpdate will be 0.
|
|
// Similarly, the optional parameter validThrough will be the time through
|
|
// which the encoded response is considered trustworthy (that is, as long as
|
|
// the given time at which to validate is less than or equal to validThrough,
|
|
// the response will be considered trustworthy).
|
|
Result VerifyEncodedOCSPResponse(TrustDomain& trustDomain,
|
|
const CertID& certID, Time time,
|
|
uint16_t maxLifetimeInDays,
|
|
Input encodedResponse,
|
|
/* out */ bool& expired,
|
|
/* optional out */ Time* thisUpdate = nullptr,
|
|
/* optional out */ Time* validThrough = nullptr);
|
|
|
|
// Check that the TLSFeature extensions in a given end-entity cert (which is
|
|
// assumed to have been already validated with BuildCertChain) are satisfied.
|
|
// The only feature which we cancurrently process a requirement for is
|
|
// status_request (OCSP stapling) so we reject any extension that specifies a
|
|
// requirement for another value. Empty extensions are also rejected.
|
|
Result CheckTLSFeaturesAreSatisfied(Input& cert,
|
|
const Input* stapledOCSPResponse);
|
|
|
|
} } // namespace mozilla::pkix
|
|
|
|
#endif // mozilla_pkix_pkix_h
|