summaryrefslogtreecommitdiffstats
path: root/security/manager/ssl/PublicKeyPinningService.h
diff options
context:
space:
mode:
authorDaniel Baumann <daniel.baumann@progress-linux.org>2024-04-07 09:22:09 +0000
committerDaniel Baumann <daniel.baumann@progress-linux.org>2024-04-07 09:22:09 +0000
commit43a97878ce14b72f0981164f87f2e35e14151312 (patch)
tree620249daf56c0258faa40cbdcf9cfba06de2a846 /security/manager/ssl/PublicKeyPinningService.h
parentInitial commit. (diff)
downloadfirefox-43a97878ce14b72f0981164f87f2e35e14151312.tar.xz
firefox-43a97878ce14b72f0981164f87f2e35e14151312.zip
Adding upstream version 110.0.1.upstream/110.0.1upstream
Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
Diffstat (limited to 'security/manager/ssl/PublicKeyPinningService.h')
-rw-r--r--security/manager/ssl/PublicKeyPinningService.h54
1 files changed, 54 insertions, 0 deletions
diff --git a/security/manager/ssl/PublicKeyPinningService.h b/security/manager/ssl/PublicKeyPinningService.h
new file mode 100644
index 0000000000..46bcf01d18
--- /dev/null
+++ b/security/manager/ssl/PublicKeyPinningService.h
@@ -0,0 +1,54 @@
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+#ifndef PublicKeyPinningService_h
+#define PublicKeyPinningService_h
+
+#include "CertVerifier.h"
+#include "nsIPublicKeyPinningService.h"
+#include "nsString.h"
+#include "nsTArray.h"
+#include "mozilla/Span.h"
+#include "mozpkix/Time.h"
+
+namespace mozilla {
+namespace psm {
+
+class PublicKeyPinningService final : public nsIPublicKeyPinningService {
+ public:
+ PublicKeyPinningService() = default;
+
+ NS_DECL_THREADSAFE_ISUPPORTS
+ NS_DECL_NSIPUBLICKEYPINNINGSERVICE
+
+ /**
+ * Sets chainHasValidPins to true if the given (host, certList) passes pinning
+ * checks, or to false otherwise. If the host is pinned, returns true via
+ * chainHasValidPins if one of the keys in the given certificate chain matches
+ * the pin set specified by the hostname. The certList's head is the EE cert
+ * and the tail is the trust anchor.
+ * Note: if an alt name is a wildcard, it won't necessarily find a pinset
+ * that would otherwise be valid for it
+ */
+ static nsresult ChainHasValidPins(
+ const nsTArray<Span<const uint8_t>>& certList, const char* hostname,
+ mozilla::pkix::Time time, bool isBuiltInRoot,
+ /*out*/ bool& chainHasValidPins,
+ /*optional out*/ PinningTelemetryInfo* pinningTelemetryInfo);
+
+ /**
+ * Given a hostname of potentially mixed case with potentially multiple
+ * trailing '.' (see bug 1118522), canonicalizes it to lowercase with no
+ * trailing '.'.
+ */
+ static nsAutoCString CanonicalizeHostname(const char* hostname);
+
+ private:
+ ~PublicKeyPinningService() = default;
+};
+
+} // namespace psm
+} // namespace mozilla
+
+#endif // PublicKeyPinningService_h