diff options
author | Daniel Baumann <daniel.baumann@progress-linux.org> | 2024-04-07 09:22:09 +0000 |
---|---|---|
committer | Daniel Baumann <daniel.baumann@progress-linux.org> | 2024-04-07 09:22:09 +0000 |
commit | 43a97878ce14b72f0981164f87f2e35e14151312 (patch) | |
tree | 620249daf56c0258faa40cbdcf9cfba06de2a846 /security/manager/ssl/PublicKeyPinningService.h | |
parent | Initial commit. (diff) | |
download | firefox-43a97878ce14b72f0981164f87f2e35e14151312.tar.xz firefox-43a97878ce14b72f0981164f87f2e35e14151312.zip |
Adding upstream version 110.0.1.upstream/110.0.1upstream
Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
Diffstat (limited to 'security/manager/ssl/PublicKeyPinningService.h')
-rw-r--r-- | security/manager/ssl/PublicKeyPinningService.h | 54 |
1 files changed, 54 insertions, 0 deletions
diff --git a/security/manager/ssl/PublicKeyPinningService.h b/security/manager/ssl/PublicKeyPinningService.h new file mode 100644 index 0000000000..46bcf01d18 --- /dev/null +++ b/security/manager/ssl/PublicKeyPinningService.h @@ -0,0 +1,54 @@ +/* This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ + +#ifndef PublicKeyPinningService_h +#define PublicKeyPinningService_h + +#include "CertVerifier.h" +#include "nsIPublicKeyPinningService.h" +#include "nsString.h" +#include "nsTArray.h" +#include "mozilla/Span.h" +#include "mozpkix/Time.h" + +namespace mozilla { +namespace psm { + +class PublicKeyPinningService final : public nsIPublicKeyPinningService { + public: + PublicKeyPinningService() = default; + + NS_DECL_THREADSAFE_ISUPPORTS + NS_DECL_NSIPUBLICKEYPINNINGSERVICE + + /** + * Sets chainHasValidPins to true if the given (host, certList) passes pinning + * checks, or to false otherwise. If the host is pinned, returns true via + * chainHasValidPins if one of the keys in the given certificate chain matches + * the pin set specified by the hostname. The certList's head is the EE cert + * and the tail is the trust anchor. + * Note: if an alt name is a wildcard, it won't necessarily find a pinset + * that would otherwise be valid for it + */ + static nsresult ChainHasValidPins( + const nsTArray<Span<const uint8_t>>& certList, const char* hostname, + mozilla::pkix::Time time, bool isBuiltInRoot, + /*out*/ bool& chainHasValidPins, + /*optional out*/ PinningTelemetryInfo* pinningTelemetryInfo); + + /** + * Given a hostname of potentially mixed case with potentially multiple + * trailing '.' (see bug 1118522), canonicalizes it to lowercase with no + * trailing '.'. + */ + static nsAutoCString CanonicalizeHostname(const char* hostname); + + private: + ~PublicKeyPinningService() = default; +}; + +} // namespace psm +} // namespace mozilla + +#endif // PublicKeyPinningService_h |