security/certverifier/CertVerifier.h

   1 /* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
   2 /* vim: set ts=8 sts=2 et sw=2 tw=80: */
   3 /* This Source Code Form is subject to the terms of the Mozilla Public
   4  * License, v. 2.0. If a copy of the MPL was not distributed with this
   5  * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
   6
   7 #ifndef mozilla_psm__CertVerifier_h
   8 #define mozilla_psm__CertVerifier_h
   9
  10 #include "pkix/pkixtypes.h"
  11 #include "OCSPCache.h"
  12 #include "ScopedNSSTypes.h"
  13
  14 namespace mozilla { namespace psm {
  15
  16 struct ChainValidationCallbackState;
  17
  18 class CertVerifier
  19 {
  20 public:
  21   typedef unsigned int Flags;
  22   // XXX: FLAG_LOCAL_ONLY is ignored in the classic verification case
  23   static const Flags FLAG_LOCAL_ONLY;
  24   // Don't perform fallback DV validation on EV validation failure.
  25   static const Flags FLAG_MUST_BE_EV;
  26
  27   // *evOidPolicy == SEC_OID_UNKNOWN means the cert is NOT EV
  28   // Only one usage per verification is supported.
  29   SECStatus VerifyCert(CERTCertificate* cert,
  30                        SECCertificateUsage usage,
  31                        mozilla::pkix::Time time,
  32                        void* pinArg,
  33                        const char* hostname,
  34                        Flags flags = 0,
  35        /*optional in*/ const SECItem* stapledOCSPResponse = nullptr,
  36       /*optional out*/ ScopedCERTCertList* builtChain = nullptr,
  37       /*optional out*/ SECOidTag* evOidPolicy = nullptr);
  38
  39   SECStatus VerifySSLServerCert(
  40                     CERTCertificate* peerCert,
  41        /*optional*/ const SECItem* stapledOCSPResponse,
  42                     mozilla::pkix::Time time,
  43        /*optional*/ void* pinarg,
  44                     const char* hostname,
  45                     bool saveIntermediatesInPermanentDatabase = false,
  46                     Flags flags = 0,
  47    /*optional out*/ ScopedCERTCertList* builtChain = nullptr,
  48    /*optional out*/ SECOidTag* evOidPolicy = nullptr);
  49
  50   enum pinning_enforcement_config {
  51     pinningDisabled = 0,
  52     pinningAllowUserCAMITM = 1,
  53     pinningStrict = 2,
  54     pinningEnforceTestMode = 3
  55   };
  56
  57   enum missing_cert_download_config { missing_cert_download_off = 0, missing_cert_download_on };
  58   enum crl_download_config { crl_local_only = 0, crl_download_allowed };
  59   enum ocsp_download_config { ocsp_off = 0, ocsp_on };
  60   enum ocsp_strict_config { ocsp_relaxed = 0, ocsp_strict };
  61   enum ocsp_get_config { ocsp_get_disabled = 0, ocsp_get_enabled = 1 };
  62
  63   bool IsOCSPDownloadEnabled() const { return mOCSPDownloadEnabled; }
  64
  65   CertVerifier(ocsp_download_config odc, ocsp_strict_config osc,
  66                ocsp_get_config ogc,
  67                pinning_enforcement_config pinningEnforcementLevel);
  68   ~CertVerifier();
  69
  70   void ClearOCSPCache() { mOCSPCache.Clear(); }
  71
  72   const bool mOCSPDownloadEnabled;
  73   const bool mOCSPStrict;
  74   const bool mOCSPGETEnabled;
  75   const pinning_enforcement_config mPinningEnforcementLevel;
  76
  77 private:
  78   OCSPCache mOCSPCache;
  79 };
  80
  81 void InitCertVerifierLog();
  82 } } // namespace mozilla::psm
  83
  84 #endif // mozilla_psm__CertVerifier_h