security/certverifier/CertVerifier.h

   1 /* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
   2 /* vim: set ts=8 sts=2 et sw=2 tw=80: */
   3 /* This Source Code Form is subject to the terms of the Mozilla Public
   4  * License, v. 2.0. If a copy of the MPL was not distributed with this
   5  * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
   6
   7 #ifndef mozilla_psm__CertVerifier_h
   8 #define mozilla_psm__CertVerifier_h
   9
  10 #include "pkix/pkixtypes.h"
  11 #include "OCSPCache.h"
  12 #include "ScopedNSSTypes.h"
  13
  14 namespace mozilla { namespace psm {
  15
  16 struct ChainValidationCallbackState;
  17
  18 class CertVerifier
  19 {
  20 public:
  21   typedef unsigned int Flags;
  22   // XXX: FLAG_LOCAL_ONLY is ignored in the classic verification case
  23   static const Flags FLAG_LOCAL_ONLY;
  24   // Don't perform fallback DV validation on EV validation failure.
  25   static const Flags FLAG_MUST_BE_EV;
  26
  27   // These values correspond to the SSL_OCSP_STAPLING telemetry.
  28   enum OCSPStaplingStatus {
  29     OCSP_STAPLING_NEVER_CHECKED = 0,
  30     OCSP_STAPLING_GOOD = 1,
  31     OCSP_STAPLING_NONE = 2,
  32     OCSP_STAPLING_EXPIRED = 3,
  33     OCSP_STAPLING_INVALID = 4,
  34   };
  35
  36   // *evOidPolicy == SEC_OID_UNKNOWN means the cert is NOT EV
  37   // Only one usage per verification is supported.
  38   SECStatus VerifyCert(CERTCertificate* cert,
  39                        SECCertificateUsage usage,
  40                        mozilla::pkix::Time time,
  41                        void* pinArg,
  42                        const char* hostname,
  43                        Flags flags = 0,
  44        /*optional in*/ const SECItem* stapledOCSPResponse = nullptr,
  45       /*optional out*/ ScopedCERTCertList* builtChain = nullptr,
  46       /*optional out*/ SECOidTag* evOidPolicy = nullptr,
  47       /*optional out*/ OCSPStaplingStatus* ocspStaplingStatus = nullptr);
  48
  49   SECStatus VerifySSLServerCert(
  50                     CERTCertificate* peerCert,
  51        /*optional*/ const SECItem* stapledOCSPResponse,
  52                     mozilla::pkix::Time time,
  53        /*optional*/ void* pinarg,
  54                     const char* hostname,
  55                     bool saveIntermediatesInPermanentDatabase = false,
  56                     Flags flags = 0,
  57    /*optional out*/ ScopedCERTCertList* builtChain = nullptr,
  58    /*optional out*/ SECOidTag* evOidPolicy = nullptr,
  59    /*optional out*/ OCSPStaplingStatus* ocspStaplingStatus = nullptr);
  60
  61   enum PinningMode {
  62     pinningDisabled = 0,
  63     pinningAllowUserCAMITM = 1,
  64     pinningStrict = 2,
  65     pinningEnforceTestMode = 3
  66   };
  67
  68   enum missing_cert_download_config { missing_cert_download_off = 0, missing_cert_download_on };
  69   enum crl_download_config { crl_local_only = 0, crl_download_allowed };
  70   enum ocsp_download_config { ocsp_off = 0, ocsp_on };
  71   enum ocsp_strict_config { ocsp_relaxed = 0, ocsp_strict };
  72   enum ocsp_get_config { ocsp_get_disabled = 0, ocsp_get_enabled = 1 };
  73
  74   bool IsOCSPDownloadEnabled() const { return mOCSPDownloadEnabled; }
  75
  76   CertVerifier(ocsp_download_config odc, ocsp_strict_config osc,
  77                ocsp_get_config ogc, PinningMode pinningMode);
  78   ~CertVerifier();
  79
  80   void ClearOCSPCache() { mOCSPCache.Clear(); }
  81
  82   const bool mOCSPDownloadEnabled;
  83   const bool mOCSPStrict;
  84   const bool mOCSPGETEnabled;
  85   const PinningMode mPinningMode;
  86
  87 private:
  88   OCSPCache mOCSPCache;
  89 };
  90
  91 void InitCertVerifierLog();
  92 SECStatus IsCertBuiltInRoot(CERTCertificate* cert, bool& result);
  93 mozilla::pkix::Result CertListContainsExpectedKeys(
  94   const CERTCertList* certList, const char* hostname, mozilla::pkix::Time time,
  95   CertVerifier::PinningMode pinningMode);
  96
  97 } } // namespace mozilla::psm
  98
  99 #endif // mozilla_psm__CertVerifier_h