|
Packit |
f0b94e |
/* This Source Code Form is subject to the terms of the Mozilla Public
|
|
Packit |
f0b94e |
* License, v. 2.0. If a copy of the MPL was not distributed with this
|
|
Packit |
f0b94e |
* file, You can obtain one at http://mozilla.org/MPL/2.0/. */
|
|
Packit |
f0b94e |
|
|
Packit |
f0b94e |
#ifndef PublicKeyPinningService_h
|
|
Packit |
f0b94e |
#define PublicKeyPinningService_h
|
|
Packit |
f0b94e |
|
|
Packit |
f0b94e |
#include "CertVerifier.h"
|
|
Packit |
f0b94e |
#include "ScopedNSSTypes.h"
|
|
Packit |
f0b94e |
#include "cert.h"
|
|
Packit |
f0b94e |
#include "nsNSSCertificate.h"
|
|
Packit |
f0b94e |
#include "nsString.h"
|
|
Packit |
f0b94e |
#include "nsTArray.h"
|
|
Packit |
f0b94e |
#include "pkix/Time.h"
|
|
Packit |
f0b94e |
|
|
Packit |
f0b94e |
namespace mozilla {
|
|
Packit |
f0b94e |
class OriginAttributes;
|
|
Packit |
f0b94e |
}
|
|
Packit |
f0b94e |
|
|
Packit |
f0b94e |
using mozilla::OriginAttributes;
|
|
Packit |
f0b94e |
|
|
Packit |
f0b94e |
namespace mozilla {
|
|
Packit |
f0b94e |
namespace psm {
|
|
Packit |
f0b94e |
|
|
Packit |
f0b94e |
class PublicKeyPinningService {
|
|
Packit |
f0b94e |
public:
|
|
Packit |
f0b94e |
/**
|
|
Packit |
f0b94e |
* Sets chainHasValidPins to true if the given (host, certList) passes pinning
|
|
Packit |
f0b94e |
* checks, or to false otherwise. If the host is pinned, returns true via
|
|
Packit |
f0b94e |
* chainHasValidPins if one of the keys in the given certificate chain matches
|
|
Packit |
f0b94e |
* the pin set specified by the hostname. The certList's head is the EE cert
|
|
Packit |
f0b94e |
* and the tail is the trust anchor.
|
|
Packit |
f0b94e |
* Note: if an alt name is a wildcard, it won't necessarily find a pinset
|
|
Packit |
f0b94e |
* that would otherwise be valid for it
|
|
Packit |
f0b94e |
*/
|
|
Packit |
f0b94e |
static nsresult ChainHasValidPins(
|
|
Packit |
f0b94e |
const RefPtr<nsNSSCertList>& certList, const char* hostname,
|
|
Packit |
f0b94e |
mozilla::pkix::Time time, bool enforceTestMode,
|
|
Packit |
f0b94e |
const OriginAttributes& originAttributes,
|
|
Packit |
f0b94e |
/*out*/ bool& chainHasValidPins,
|
|
Packit |
f0b94e |
/*optional out*/ PinningTelemetryInfo* pinningTelemetryInfo);
|
|
Packit |
f0b94e |
/**
|
|
Packit |
f0b94e |
* Sets chainMatchesPinset to true if there is any intersection between the
|
|
Packit |
f0b94e |
* certificate list and the pins specified in the aSHA256keys array.
|
|
Packit |
f0b94e |
* Values passed in are assumed to be in base64 encoded form.
|
|
Packit |
f0b94e |
*/
|
|
Packit |
f0b94e |
static nsresult ChainMatchesPinset(const RefPtr<nsNSSCertList>& certList,
|
|
Packit |
f0b94e |
const nsTArray<nsCString>& aSHA256keys,
|
|
Packit |
f0b94e |
/*out*/ bool& chainMatchesPinset);
|
|
Packit |
f0b94e |
|
|
Packit |
f0b94e |
/**
|
|
Packit |
f0b94e |
* Returns true via the output parameter hostHasPins if there is pinning
|
|
Packit |
f0b94e |
* information for the given host that is valid at the given time, and false
|
|
Packit |
f0b94e |
* otherwise.
|
|
Packit |
f0b94e |
*/
|
|
Packit |
f0b94e |
static nsresult HostHasPins(const char* hostname, mozilla::pkix::Time time,
|
|
Packit |
f0b94e |
bool enforceTestMode,
|
|
Packit |
f0b94e |
const OriginAttributes& originAttributes,
|
|
Packit |
f0b94e |
/*out*/ bool& hostHasPins);
|
|
Packit |
f0b94e |
|
|
Packit |
f0b94e |
/**
|
|
Packit |
f0b94e |
* Given a hostname of potentially mixed case with potentially multiple
|
|
Packit |
f0b94e |
* trailing '.' (see bug 1118522), canonicalizes it to lowercase with no
|
|
Packit |
f0b94e |
* trailing '.'.
|
|
Packit |
f0b94e |
*/
|
|
Packit |
f0b94e |
static nsAutoCString CanonicalizeHostname(const char* hostname);
|
|
Packit |
f0b94e |
};
|
|
Packit |
f0b94e |
|
|
Packit |
f0b94e |
} // namespace psm
|
|
Packit |
f0b94e |
} // namespace mozilla
|
|
Packit |
f0b94e |
|
|
Packit |
f0b94e |
#endif // PublicKeyPinningService_h
|