security/certverifier/OCSPCache.h

   1 /* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
   2 /* vim: set ts=8 sts=2 et sw=2 tw=80: */
   3 /* This code is made available to you under your choice of the following sets
   4  * of licensing terms:
   5  */
   6 /* This Source Code Form is subject to the terms of the Mozilla Public
   7  * License, v. 2.0. If a copy of the MPL was not distributed with this
   8  * file, You can obtain one at http://mozilla.org/MPL/2.0/.
   9  */
  10 /* Copyright 2013 Mozilla Contributors
  11  *
  12  * Licensed under the Apache License, Version 2.0 (the "License");
  13  * you may not use this file except in compliance with the License.
  14  * You may obtain a copy of the License at
  15  *
  16  *     http://www.apache.org/licenses/LICENSE-2.0
  17  *
  18  * Unless required by applicable law or agreed to in writing, software
  19  * distributed under the License is distributed on an "AS IS" BASIS,
  20  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  21  * See the License for the specific language governing permissions and
  22  * limitations under the License.
  23  */
  24
  25 #ifndef mozilla_psm_OCSPCache_h
  26 #define mozilla_psm_OCSPCache_h
  27
  28 #include "hasht.h"
  29 #include "mozilla/Mutex.h"
  30 #include "mozilla/Vector.h"
  31 #include "pkix/Result.h"
  32 #include "pkix/Time.h"
  33 #include "prerror.h"
  34 #include "seccomon.h"
  35
  36 namespace mozilla { namespace pkix {
  37 struct CertID;
  38 } } // namespace mozilla::pkix
  39
  40 namespace mozilla { namespace psm {
  41
  42 // make SHA384Buffer be of type "array of uint8_t of length SHA384_LENGTH"
  43 typedef uint8_t SHA384Buffer[SHA384_LENGTH];
  44
  45 // OCSPCache can store and retrieve OCSP response verification results. Each
  46 // result is keyed on the certificate that purportedly corresponds to it (where
  47 // certificates are distinguished based on serial number, issuer, and
  48 // issuer public key, much like in an encoded OCSP response itself). A maximum
  49 // of 1024 distinct entries can be stored.
  50 // OCSPCache is thread-safe.
  51 class OCSPCache
  52 {
  53 public:
  54   OCSPCache();
  55   ~OCSPCache();
  56
  57   // Returns true if the status of the given certificate (issued by the given
  58   // issuer) is in the cache, and false otherwise.
  59   // If it is in the cache, returns by reference the error code of the cached
  60   // status and the time through which the status is considered trustworthy.
  61   bool Get(const mozilla::pkix::CertID& aCertID,
  62            /*out*/ mozilla::pkix::Result& aResult,
  63            /*out*/ mozilla::pkix::Time& aValidThrough);
  64
  65   // Caches the status of the given certificate (issued by the given issuer).
  66   // The status is considered trustworthy through the given time.
  67   // A status with an error code of SEC_ERROR_REVOKED_CERTIFICATE will not
  68   // be replaced or evicted.
  69   // A status with an error code of SEC_ERROR_OCSP_UNKNOWN_CERT will not
  70   // be evicted when the cache is full.
  71   // A status with a more recent thisUpdate will not be replaced with a
  72   // status with a less recent thisUpdate unless the less recent status
  73   // indicates the certificate is revoked.
  74   mozilla::pkix::Result Put(const mozilla::pkix::CertID& aCertID,
  75                             mozilla::pkix::Result aResult,
  76                             mozilla::pkix::Time aThisUpdate,
  77                             mozilla::pkix::Time aValidThrough);
  78
  79   // Removes everything from the cache.
  80   void Clear();
  81
  82 private:
  83   class Entry
  84   {
  85   public:
  86     Entry(mozilla::pkix::Result aResult,
  87           mozilla::pkix::Time aThisUpdate,
  88           mozilla::pkix::Time aValidThrough)
  89       : mResult(aResult)
  90       , mThisUpdate(aThisUpdate)
  91       , mValidThrough(aValidThrough)
  92     {
  93     }
  94     mozilla::pkix::Result Init(const mozilla::pkix::CertID& aCertID);
  95
  96     mozilla::pkix::Result mResult;
  97     mozilla::pkix::Time mThisUpdate;
  98     mozilla::pkix::Time mValidThrough;
  99     // The SHA-384 hash of the concatenation of the DER encodings of the
 100     // issuer name and issuer key, followed by the serial number.
 101     // See the documentation for CertIDHash in OCSPCache.cpp.
 102     SHA384Buffer mIDHash;
 103   };
 104
 105   bool FindInternal(const mozilla::pkix::CertID& aCertID, /*out*/ size_t& index,
 106                     const MutexAutoLock& aProofOfLock);
 107   void MakeMostRecentlyUsed(size_t aIndex, const MutexAutoLock& aProofOfLock);
 108
 109   Mutex mMutex;
 110   static const size_t MaxEntries = 1024;
 111   // Sorted with the most-recently-used entry at the end.
 112   // Using 256 here reserves as much possible inline storage as the vector
 113   // implementation will give us. 1024 bytes is the maximum it allows,
 114   // which results in 256 Entry pointers or 128 Entry pointers, depending
 115   // on the size of a pointer.
 116   Vector<Entry*, 256> mEntries;
 117 };
 118
 119 } } // namespace mozilla::psm
 120
 121 #endif // mozilla_psm_OCSPCache_h