blob: 46bcf01d1812f8c944db379046b883b0ffdc193c (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
|
/* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/. */
#ifndef PublicKeyPinningService_h
#define PublicKeyPinningService_h
#include "CertVerifier.h"
#include "nsIPublicKeyPinningService.h"
#include "nsString.h"
#include "nsTArray.h"
#include "mozilla/Span.h"
#include "mozpkix/Time.h"
namespace mozilla {
namespace psm {
class PublicKeyPinningService final : public nsIPublicKeyPinningService {
public:
PublicKeyPinningService() = default;
NS_DECL_THREADSAFE_ISUPPORTS
NS_DECL_NSIPUBLICKEYPINNINGSERVICE
/**
* Sets chainHasValidPins to true if the given (host, certList) passes pinning
* checks, or to false otherwise. If the host is pinned, returns true via
* chainHasValidPins if one of the keys in the given certificate chain matches
* the pin set specified by the hostname. The certList's head is the EE cert
* and the tail is the trust anchor.
* Note: if an alt name is a wildcard, it won't necessarily find a pinset
* that would otherwise be valid for it
*/
static nsresult ChainHasValidPins(
const nsTArray<Span<const uint8_t>>& certList, const char* hostname,
mozilla::pkix::Time time, bool isBuiltInRoot,
/*out*/ bool& chainHasValidPins,
/*optional out*/ PinningTelemetryInfo* pinningTelemetryInfo);
/**
* Given a hostname of potentially mixed case with potentially multiple
* trailing '.' (see bug 1118522), canonicalizes it to lowercase with no
* trailing '.'.
*/
static nsAutoCString CanonicalizeHostname(const char* hostname);
private:
~PublicKeyPinningService() = default;
};
} // namespace psm
} // namespace mozilla
#endif // PublicKeyPinningService_h
|
