1 /* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
2 /* vim: set ts=8 sts=2 et sw=2 tw=80: */
3 /* This Source Code Form is subject to the terms of the Mozilla Public
4 * License, v. 2.0. If a copy of the MPL was not distributed with this
5 * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
7 #ifndef mozilla_psm__CertVerifier_h
8 #define mozilla_psm__CertVerifier_h
10 #include "pkix/pkixtypes.h"
11 #include "OCSPCache.h"
12 #include "ScopedNSSTypes.h"
14 namespace mozilla
{ namespace psm
{
16 struct ChainValidationCallbackState
;
21 typedef unsigned int Flags
;
22 // XXX: FLAG_LOCAL_ONLY is ignored in the classic verification case
23 static const Flags FLAG_LOCAL_ONLY
;
24 // Don't perform fallback DV validation on EV validation failure.
25 static const Flags FLAG_MUST_BE_EV
;
27 // *evOidPolicy == SEC_OID_UNKNOWN means the cert is NOT EV
28 // Only one usage per verification is supported.
29 SECStatus
VerifyCert(CERTCertificate
* cert
,
30 SECCertificateUsage usage
,
31 mozilla::pkix::Time time
,
35 /*optional in*/ const SECItem
* stapledOCSPResponse
= nullptr,
36 /*optional out*/ ScopedCERTCertList
* builtChain
= nullptr,
37 /*optional out*/ SECOidTag
* evOidPolicy
= nullptr);
39 SECStatus
VerifySSLServerCert(
40 CERTCertificate
* peerCert
,
41 /*optional*/ const SECItem
* stapledOCSPResponse
,
42 mozilla::pkix::Time time
,
43 /*optional*/ void* pinarg
,
45 bool saveIntermediatesInPermanentDatabase
= false,
47 /*optional out*/ ScopedCERTCertList
* builtChain
= nullptr,
48 /*optional out*/ SECOidTag
* evOidPolicy
= nullptr);
50 enum pinning_enforcement_config
{
52 pinningAllowUserCAMITM
= 1,
54 pinningEnforceTestMode
= 3
57 enum missing_cert_download_config
{ missing_cert_download_off
= 0, missing_cert_download_on
};
58 enum crl_download_config
{ crl_local_only
= 0, crl_download_allowed
};
59 enum ocsp_download_config
{ ocsp_off
= 0, ocsp_on
};
60 enum ocsp_strict_config
{ ocsp_relaxed
= 0, ocsp_strict
};
61 enum ocsp_get_config
{ ocsp_get_disabled
= 0, ocsp_get_enabled
= 1 };
63 bool IsOCSPDownloadEnabled() const { return mOCSPDownloadEnabled
; }
65 CertVerifier(ocsp_download_config odc
, ocsp_strict_config osc
,
67 pinning_enforcement_config pinningEnforcementLevel
);
70 void ClearOCSPCache() { mOCSPCache
.Clear(); }
72 const bool mOCSPDownloadEnabled
;
73 const bool mOCSPStrict
;
74 const bool mOCSPGETEnabled
;
75 const pinning_enforcement_config mPinningEnforcementLevel
;
81 void InitCertVerifierLog();
82 } } // namespace mozilla::psm
84 #endif // mozilla_psm__CertVerifier_h