1 /* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
2 /* vim: set ts=8 sts=2 et sw=2 tw=80: */
3 /* This code is made available to you under your choice of the following sets
6 /* This Source Code Form is subject to the terms of the Mozilla Public
7 * License, v. 2.0. If a copy of the MPL was not distributed with this
8 * file, You can obtain one at http://mozilla.org/MPL/2.0/.
10 /* Copyright 2013 Mozilla Contributors
12 * Licensed under the Apache License, Version 2.0 (the "License");
13 * you may not use this file except in compliance with the License.
14 * You may obtain a copy of the License at
16 * http://www.apache.org/licenses/LICENSE-2.0
18 * Unless required by applicable law or agreed to in writing, software
19 * distributed under the License is distributed on an "AS IS" BASIS,
20 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
21 * See the License for the specific language governing permissions and
22 * limitations under the License.
25 #ifndef mozilla_psm_OCSPCache_h
26 #define mozilla_psm_OCSPCache_h
29 #include "mozilla/Mutex.h"
30 #include "mozilla/Vector.h"
31 #include "pkix/Result.h"
32 #include "pkix/Time.h"
36 namespace mozilla
{ namespace pkix
{
38 } } // namespace mozilla::pkix
40 namespace mozilla
{ namespace psm
{
42 // make SHA384Buffer be of type "array of uint8_t of length SHA384_LENGTH"
43 typedef uint8_t SHA384Buffer
[SHA384_LENGTH
];
45 // OCSPCache can store and retrieve OCSP response verification results. Each
46 // result is keyed on the certificate that purportedly corresponds to it (where
47 // certificates are distinguished based on serial number, issuer, and
48 // issuer public key, much like in an encoded OCSP response itself). A maximum
49 // of 1024 distinct entries can be stored.
50 // OCSPCache is thread-safe.
57 // Returns true if the status of the given certificate (issued by the given
58 // issuer) is in the cache, and false otherwise.
59 // If it is in the cache, returns by reference the error code of the cached
60 // status and the time through which the status is considered trustworthy.
61 bool Get(const mozilla::pkix::CertID
& aCertID
,
62 /*out*/ mozilla::pkix::Result
& aResult
,
63 /*out*/ mozilla::pkix::Time
& aValidThrough
);
65 // Caches the status of the given certificate (issued by the given issuer).
66 // The status is considered trustworthy through the given time.
67 // A status with an error code of SEC_ERROR_REVOKED_CERTIFICATE will not
68 // be replaced or evicted.
69 // A status with an error code of SEC_ERROR_OCSP_UNKNOWN_CERT will not
70 // be evicted when the cache is full.
71 // A status with a more recent thisUpdate will not be replaced with a
72 // status with a less recent thisUpdate unless the less recent status
73 // indicates the certificate is revoked.
74 mozilla::pkix::Result
Put(const mozilla::pkix::CertID
& aCertID
,
75 mozilla::pkix::Result aResult
,
76 mozilla::pkix::Time aThisUpdate
,
77 mozilla::pkix::Time aValidThrough
);
79 // Removes everything from the cache.
86 Entry(mozilla::pkix::Result aResult
,
87 mozilla::pkix::Time aThisUpdate
,
88 mozilla::pkix::Time aValidThrough
)
90 , mThisUpdate(aThisUpdate
)
91 , mValidThrough(aValidThrough
)
94 mozilla::pkix::Result
Init(const mozilla::pkix::CertID
& aCertID
);
96 mozilla::pkix::Result mResult
;
97 mozilla::pkix::Time mThisUpdate
;
98 mozilla::pkix::Time mValidThrough
;
99 // The SHA-384 hash of the concatenation of the DER encodings of the
100 // issuer name and issuer key, followed by the serial number.
101 // See the documentation for CertIDHash in OCSPCache.cpp.
102 SHA384Buffer mIDHash
;
105 bool FindInternal(const mozilla::pkix::CertID
& aCertID
, /*out*/ size_t& index
,
106 const MutexAutoLock
& aProofOfLock
);
107 void MakeMostRecentlyUsed(size_t aIndex
, const MutexAutoLock
& aProofOfLock
);
110 static const size_t MaxEntries
= 1024;
111 // Sorted with the most-recently-used entry at the end.
112 // Using 256 here reserves as much possible inline storage as the vector
113 // implementation will give us. 1024 bytes is the maximum it allows,
114 // which results in 256 Entry pointers or 128 Entry pointers, depending
115 // on the size of a pointer.
116 Vector
<Entry
*, 256> mEntries
;
119 } } // namespace mozilla::psm
121 #endif // mozilla_psm_OCSPCache_h