1 /* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
2 /* vim: set ts=8 sts=2 et sw=2 tw=80: */
3 /* This Source Code Form is subject to the terms of the Mozilla Public
4 * License, v. 2.0. If a copy of the MPL was not distributed with this
5 * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
7 #ifndef mozilla_psm__CertVerifier_h
8 #define mozilla_psm__CertVerifier_h
10 #include "pkix/pkixtypes.h"
11 #include "OCSPCache.h"
12 #include "ScopedNSSTypes.h"
14 namespace mozilla
{ namespace psm
{
16 struct ChainValidationCallbackState
;
21 typedef unsigned int Flags
;
22 // XXX: FLAG_LOCAL_ONLY is ignored in the classic verification case
23 static const Flags FLAG_LOCAL_ONLY
;
24 // Don't perform fallback DV validation on EV validation failure.
25 static const Flags FLAG_MUST_BE_EV
;
27 // These values correspond to the SSL_OCSP_STAPLING telemetry.
28 enum OCSPStaplingStatus
{
29 OCSP_STAPLING_NEVER_CHECKED
= 0,
30 OCSP_STAPLING_GOOD
= 1,
31 OCSP_STAPLING_NONE
= 2,
32 OCSP_STAPLING_EXPIRED
= 3,
33 OCSP_STAPLING_INVALID
= 4,
36 // *evOidPolicy == SEC_OID_UNKNOWN means the cert is NOT EV
37 // Only one usage per verification is supported.
38 SECStatus
VerifyCert(CERTCertificate
* cert
,
39 SECCertificateUsage usage
,
40 mozilla::pkix::Time time
,
44 /*optional in*/ const SECItem
* stapledOCSPResponse
= nullptr,
45 /*optional out*/ ScopedCERTCertList
* builtChain
= nullptr,
46 /*optional out*/ SECOidTag
* evOidPolicy
= nullptr,
47 /*optional out*/ OCSPStaplingStatus
* ocspStaplingStatus
= nullptr);
49 SECStatus
VerifySSLServerCert(
50 CERTCertificate
* peerCert
,
51 /*optional*/ const SECItem
* stapledOCSPResponse
,
52 mozilla::pkix::Time time
,
53 /*optional*/ void* pinarg
,
55 bool saveIntermediatesInPermanentDatabase
= false,
57 /*optional out*/ ScopedCERTCertList
* builtChain
= nullptr,
58 /*optional out*/ SECOidTag
* evOidPolicy
= nullptr,
59 /*optional out*/ OCSPStaplingStatus
* ocspStaplingStatus
= nullptr);
63 pinningAllowUserCAMITM
= 1,
65 pinningEnforceTestMode
= 3
68 enum missing_cert_download_config
{ missing_cert_download_off
= 0, missing_cert_download_on
};
69 enum crl_download_config
{ crl_local_only
= 0, crl_download_allowed
};
70 enum ocsp_download_config
{ ocsp_off
= 0, ocsp_on
};
71 enum ocsp_strict_config
{ ocsp_relaxed
= 0, ocsp_strict
};
72 enum ocsp_get_config
{ ocsp_get_disabled
= 0, ocsp_get_enabled
= 1 };
74 bool IsOCSPDownloadEnabled() const { return mOCSPDownloadEnabled
; }
76 CertVerifier(ocsp_download_config odc
, ocsp_strict_config osc
,
77 ocsp_get_config ogc
, PinningMode pinningMode
);
80 void ClearOCSPCache() { mOCSPCache
.Clear(); }
82 const bool mOCSPDownloadEnabled
;
83 const bool mOCSPStrict
;
84 const bool mOCSPGETEnabled
;
85 const PinningMode mPinningMode
;
91 void InitCertVerifierLog();
92 SECStatus
IsCertBuiltInRoot(CERTCertificate
* cert
, bool& result
);
93 mozilla::pkix::Result
CertListContainsExpectedKeys(
94 const CERTCertList
* certList
, const char* hostname
, mozilla::pkix::Time time
,
95 CertVerifier::PinningMode pinningMode
);
97 } } // namespace mozilla::psm
99 #endif // mozilla_psm__CertVerifier_h