diff options
Diffstat (limited to '')
-rw-r--r-- | security/manager/ssl/PublicKeyPinningService.h | 65 |
1 files changed, 65 insertions, 0 deletions
diff --git a/security/manager/ssl/PublicKeyPinningService.h b/security/manager/ssl/PublicKeyPinningService.h new file mode 100644 index 0000000000..5a16d838e0 --- /dev/null +++ b/security/manager/ssl/PublicKeyPinningService.h @@ -0,0 +1,65 @@ +/* This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ + +#ifndef PublicKeyPinningService_h +#define PublicKeyPinningService_h + +#include "CertVerifier.h" +#include "ScopedNSSTypes.h" +#include "cert.h" +#include "nsNSSCertificate.h" +#include "nsString.h" +#include "nsTArray.h" +#include "mozilla/Span.h" +#include "mozpkix/Time.h" + +namespace mozilla { +class OriginAttributes; +} + +using mozilla::OriginAttributes; + +namespace mozilla { +namespace psm { + +class PublicKeyPinningService { + public: + /** + * Sets chainHasValidPins to true if the given (host, certList) passes pinning + * checks, or to false otherwise. If the host is pinned, returns true via + * chainHasValidPins if one of the keys in the given certificate chain matches + * the pin set specified by the hostname. The certList's head is the EE cert + * and the tail is the trust anchor. + * Note: if an alt name is a wildcard, it won't necessarily find a pinset + * that would otherwise be valid for it + */ + static nsresult ChainHasValidPins( + const nsTArray<Span<const uint8_t>>& certList, const char* hostname, + mozilla::pkix::Time time, bool enforceTestMode, + const OriginAttributes& originAttributes, + /*out*/ bool& chainHasValidPins, + /*optional out*/ PinningTelemetryInfo* pinningTelemetryInfo); + + /** + * Returns true via the output parameter hostHasPins if there is pinning + * information for the given host that is valid at the given time, and false + * otherwise. + */ + static nsresult HostHasPins(const char* hostname, mozilla::pkix::Time time, + bool enforceTestMode, + const OriginAttributes& originAttributes, + /*out*/ bool& hostHasPins); + + /** + * Given a hostname of potentially mixed case with potentially multiple + * trailing '.' (see bug 1118522), canonicalizes it to lowercase with no + * trailing '.'. + */ + static nsAutoCString CanonicalizeHostname(const char* hostname); +}; + +} // namespace psm +} // namespace mozilla + +#endif // PublicKeyPinningService_h |