diff options
| author | Daniel Baumann <daniel.baumann@progress-linux.org> | 2024-04-07 17:32:43 +0000 |
|---|---|---|
| committer | Daniel Baumann <daniel.baumann@progress-linux.org> | 2024-04-07 17:32:43 +0000 |
| commit | 6bf0a5cb5034a7e684dcc3500e841785237ce2dd (patch) | |
| tree | a68f146d7fa01f0134297619fbe7e33db084e0aa /security/manager/ssl/PublicKeyPinningService.h | |
| parent | Initial commit. (diff) | |
| download | thunderbird-upstream.tar.xz thunderbird-upstream.zip | |
Adding upstream version 1:115.7.0.upstream/1%115.7.0upstream
Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
Diffstat (limited to 'security/manager/ssl/PublicKeyPinningService.h')
| -rw-r--r-- | security/manager/ssl/PublicKeyPinningService.h | 54 |
1 files changed, 54 insertions, 0 deletions
diff --git a/security/manager/ssl/PublicKeyPinningService.h b/security/manager/ssl/PublicKeyPinningService.h new file mode 100644 index 0000000000..46bcf01d18 --- /dev/null +++ b/security/manager/ssl/PublicKeyPinningService.h @@ -0,0 +1,54 @@ +/* This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ + +#ifndef PublicKeyPinningService_h +#define PublicKeyPinningService_h + +#include "CertVerifier.h" +#include "nsIPublicKeyPinningService.h" +#include "nsString.h" +#include "nsTArray.h" +#include "mozilla/Span.h" +#include "mozpkix/Time.h" + +namespace mozilla { +namespace psm { + +class PublicKeyPinningService final : public nsIPublicKeyPinningService { + public: + PublicKeyPinningService() = default; + + NS_DECL_THREADSAFE_ISUPPORTS + NS_DECL_NSIPUBLICKEYPINNINGSERVICE + + /** + * Sets chainHasValidPins to true if the given (host, certList) passes pinning + * checks, or to false otherwise. If the host is pinned, returns true via + * chainHasValidPins if one of the keys in the given certificate chain matches + * the pin set specified by the hostname. The certList's head is the EE cert + * and the tail is the trust anchor. + * Note: if an alt name is a wildcard, it won't necessarily find a pinset + * that would otherwise be valid for it + */ + static nsresult ChainHasValidPins( + const nsTArray<Span<const uint8_t>>& certList, const char* hostname, + mozilla::pkix::Time time, bool isBuiltInRoot, + /*out*/ bool& chainHasValidPins, + /*optional out*/ PinningTelemetryInfo* pinningTelemetryInfo); + + /** + * Given a hostname of potentially mixed case with potentially multiple + * trailing '.' (see bug 1118522), canonicalizes it to lowercase with no + * trailing '.'. + */ + static nsAutoCString CanonicalizeHostname(const char* hostname); + + private: + ~PublicKeyPinningService() = default; +}; + +} // namespace psm +} // namespace mozilla + +#endif // PublicKeyPinningService_h |