2007-08-23 22:59:12 +04:00
|
|
|
/* -*- Mode: C++; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
|
2012-05-31 13:33:35 +04:00
|
|
|
/* This Source Code Form is subject to the terms of the Mozilla Public
|
|
|
|
|
* License, v. 2.0. If a copy of the MPL was not distributed with this
|
|
|
|
|
* file, You can obtain one at http://mozilla.org/MPL/2.0/. */
|
2001-02-17 01:17:52 +03:00
|
|
|
|
2016-05-06 00:56:36 +03:00
|
|
|
#ifndef nsNSSCertificate_h
|
|
|
|
|
#define nsNSSCertificate_h
|
2001-02-17 01:17:52 +03:00
|
|
|
|
2016-05-06 00:56:36 +03:00
|
|
|
#include "ScopedNSSTypes.h"
|
|
|
|
|
#include "certt.h"
|
|
|
|
|
#include "nsCOMPtr.h"
|
|
|
|
|
#include "nsIASN1Object.h"
|
|
|
|
|
#include "nsIClassInfo.h"
|
|
|
|
|
#include "nsISerializable.h"
|
|
|
|
|
#include "nsISimpleEnumerator.h"
|
2001-02-17 01:17:52 +03:00
|
|
|
#include "nsIX509Cert.h"
|
2001-02-27 00:50:54 +03:00
|
|
|
#include "nsIX509CertDB.h"
|
2006-01-10 05:07:47 +03:00
|
|
|
#include "nsIX509CertList.h"
|
2003-01-18 17:03:00 +03:00
|
|
|
#include "nsNSSShutDown.h"
|
2017-08-17 02:48:52 +03:00
|
|
|
#include "nsStringFwd.h"
|
2002-01-10 03:47:07 +03:00
|
|
|
|
2014-07-07 02:55:38 +04:00
|
|
|
namespace mozilla { namespace pkix { class DERArray; } }
|
|
|
|
|
|
2001-05-02 09:38:26 +04:00
|
|
|
class nsINSSComponent;
|
2002-09-17 22:51:22 +04:00
|
|
|
class nsIASN1Sequence;
|
2001-05-02 09:38:26 +04:00
|
|
|
|
2015-03-21 19:28:04 +03:00
|
|
|
class nsNSSCertificate final : public nsIX509Cert,
|
2015-03-27 21:52:19 +03:00
|
|
|
public nsISerializable,
|
|
|
|
|
public nsIClassInfo,
|
|
|
|
|
public nsNSSShutDownObject
|
2001-02-17 01:17:52 +03:00
|
|
|
{
|
|
|
|
|
public:
|
2013-07-19 06:24:14 +04:00
|
|
|
NS_DECL_THREADSAFE_ISUPPORTS
|
2001-02-17 01:17:52 +03:00
|
|
|
NS_DECL_NSIX509CERT
|
2007-08-23 22:59:12 +04:00
|
|
|
NS_DECL_NSISERIALIZABLE
|
|
|
|
|
NS_DECL_NSICLASSINFO
|
2001-02-17 01:17:52 +03:00
|
|
|
|
bug 1313491 - include more context when determining EV status r=Cykesiopka,jcj,mgoodwin
When doing TLS session resumption, the AuthCertificate hook is bypassed, which
means that the front-end doesn't know whether or not to show the EV indicator.
To deal with this, the platform attempts an EV verification. Before this patch,
this verification lacked much of the original context (e.g. stapled OCSP
responses, SCTs, the hostname, and in particular the first-party origin key).
Furthermore, it was unclear from a code architecture standpoint that a full
verification was even occurring. This patch brings the necessary context to the
verification and makes it much more clear that it is happening. It also takes
the opportunity to remove some unnecessary EV-related fields and information in
code and data structures that don't require it.
MozReview-Commit-ID: LTmZU4Z1YXL
--HG--
extra : rebase_source : 7db702f2037fae83c87fbb6aca75b4420544dff9
2016-11-01 03:02:57 +03:00
|
|
|
explicit nsNSSCertificate(CERTCertificate* cert);
|
2007-08-23 22:59:12 +04:00
|
|
|
nsNSSCertificate();
|
bug 1313491 - include more context when determining EV status r=Cykesiopka,jcj,mgoodwin
When doing TLS session resumption, the AuthCertificate hook is bypassed, which
means that the front-end doesn't know whether or not to show the EV indicator.
To deal with this, the platform attempts an EV verification. Before this patch,
this verification lacked much of the original context (e.g. stapled OCSP
responses, SCTs, the hostname, and in particular the first-party origin key).
Furthermore, it was unclear from a code architecture standpoint that a full
verification was even occurring. This patch brings the necessary context to the
verification and makes it much more clear that it is happening. It also takes
the opportunity to remove some unnecessary EV-related fields and information in
code and data structures that don't require it.
MozReview-Commit-ID: LTmZU4Z1YXL
--HG--
extra : rebase_source : 7db702f2037fae83c87fbb6aca75b4420544dff9
2016-11-01 03:02:57 +03:00
|
|
|
static nsNSSCertificate* Create(CERTCertificate* cert = nullptr);
|
2014-01-22 05:30:44 +04:00
|
|
|
static nsNSSCertificate* ConstructFromDER(char* certDER, int derLen);
|
2014-12-24 16:04:24 +03:00
|
|
|
|
2016-01-13 02:39:43 +03:00
|
|
|
// This is a separate static method so nsNSSComponent can use it during NSS
|
|
|
|
|
// initialization. Other code should probably not use it.
|
2016-04-20 11:14:22 +03:00
|
|
|
static nsresult GetDbKey(const mozilla::UniqueCERTCertificate& cert,
|
|
|
|
|
nsACString& aDbKey);
|
2016-01-13 02:39:43 +03:00
|
|
|
|
2001-02-17 01:17:52 +03:00
|
|
|
private:
|
2014-07-31 00:00:29 +04:00
|
|
|
virtual ~nsNSSCertificate();
|
|
|
|
|
|
2016-04-20 11:14:22 +03:00
|
|
|
mozilla::UniqueCERTCertificate mCert;
|
2011-09-29 10:19:26 +04:00
|
|
|
bool mPermDelete;
|
2012-08-22 19:56:38 +04:00
|
|
|
uint32_t mCertType;
|
2013-07-29 20:46:52 +04:00
|
|
|
nsresult CreateASN1Struct(nsIASN1Object** aRetVal);
|
2017-02-01 01:08:56 +03:00
|
|
|
nsresult CreateTBSCertificateASN1Struct(nsIASN1Sequence** retSequence);
|
2014-01-22 05:30:44 +04:00
|
|
|
nsresult GetSortableDate(PRTime aTime, nsAString& _aSortableDate);
|
2015-03-21 19:28:04 +03:00
|
|
|
virtual void virtualDestroyNSSReference() override;
|
2003-01-18 17:03:00 +03:00
|
|
|
void destructorSafeDestroyNSSReference();
|
2011-09-29 10:19:26 +04:00
|
|
|
bool InitFromDER(char* certDER, int derLen); // return false on failure
|
2008-01-14 18:45:07 +03:00
|
|
|
|
2014-05-22 02:52:00 +04:00
|
|
|
nsresult GetCertificateHash(nsAString& aFingerprint, SECOidTag aHashAlg);
|
2001-02-17 01:17:52 +03:00
|
|
|
};
|
|
|
|
|
|
2014-06-24 02:40:03 +04:00
|
|
|
namespace mozilla {
|
2014-07-07 02:55:38 +04:00
|
|
|
|
|
|
|
|
SECStatus ConstructCERTCertListFromReversedDERArray(
|
|
|
|
|
const mozilla::pkix::DERArray& certArray,
|
2016-05-06 00:56:36 +03:00
|
|
|
/*out*/ mozilla::UniqueCERTCertList& certList);
|
2014-07-07 02:55:38 +04:00
|
|
|
|
2015-07-13 18:25:42 +03:00
|
|
|
} // namespace mozilla
|
2014-06-24 02:40:03 +04:00
|
|
|
|
2017-10-25 21:37:50 +03:00
|
|
|
typedef const std::function<nsresult(nsCOMPtr<nsIX509Cert>& aCert,
|
|
|
|
|
bool aHasMore, /* out */ bool& aContinue)> ForEachCertOperation;
|
|
|
|
|
|
2013-11-12 03:16:45 +04:00
|
|
|
class nsNSSCertList: public nsIX509CertList,
|
2014-08-15 22:27:22 +04:00
|
|
|
public nsISerializable,
|
2013-11-12 03:16:45 +04:00
|
|
|
public nsNSSShutDownObject
|
2006-01-10 05:07:47 +03:00
|
|
|
{
|
|
|
|
|
public:
|
2013-07-19 06:24:14 +04:00
|
|
|
NS_DECL_THREADSAFE_ISUPPORTS
|
2006-01-10 05:07:47 +03:00
|
|
|
NS_DECL_NSIX509CERTLIST
|
2014-08-15 22:27:22 +04:00
|
|
|
NS_DECL_NSISERIALIZABLE
|
2006-01-10 05:07:47 +03:00
|
|
|
|
2014-02-04 10:25:50 +04:00
|
|
|
// certList is adopted
|
2016-05-06 00:56:36 +03:00
|
|
|
nsNSSCertList(mozilla::UniqueCERTCertList certList,
|
2014-01-22 05:30:44 +04:00
|
|
|
const nsNSSShutDownPreventionLock& proofOfLock);
|
2006-01-10 05:07:47 +03:00
|
|
|
|
2014-02-04 10:25:50 +04:00
|
|
|
nsNSSCertList();
|
|
|
|
|
|
2016-05-06 00:56:36 +03:00
|
|
|
static mozilla::UniqueCERTCertList DupCertList(
|
|
|
|
|
const mozilla::UniqueCERTCertList& certList,
|
|
|
|
|
const nsNSSShutDownPreventionLock& proofOfLock);
|
|
|
|
|
|
2017-10-25 21:37:50 +03:00
|
|
|
// For each certificate in this CertList, run the operation aOperation.
|
|
|
|
|
// To end early with NS_OK, set the `aContinue` argument false before
|
|
|
|
|
// returning. To end early with an error, return anything except NS_OK.
|
|
|
|
|
// The `aHasMore` argument is false when this is the last certificate in the
|
|
|
|
|
// chain.
|
|
|
|
|
nsresult ForEachCertificateInChain(ForEachCertOperation& aOperation);
|
|
|
|
|
|
|
|
|
|
// Split a certificate chain into the root, intermediates (if any), and end
|
|
|
|
|
// entity. This method does so blindly, assuming that the current list object
|
2017-10-31 02:49:41 +03:00
|
|
|
// is ordered [end entity, intermediates..., root]. If that isn't true, this
|
2017-10-25 21:37:50 +03:00
|
|
|
// method will return the certificates at the two ends without regard to the
|
|
|
|
|
// actual chain of trust. Callers are encouraged to check, if there's any
|
|
|
|
|
// doubt.
|
|
|
|
|
// Will return error if used on self-signed or empty chains.
|
|
|
|
|
// This method requires that all arguments be empty, notably the list
|
|
|
|
|
// `aIntermediates` must be empty.
|
|
|
|
|
nsresult SegmentCertificateChain(/* out */ nsCOMPtr<nsIX509Cert>& aRoot,
|
|
|
|
|
/* out */ nsCOMPtr<nsIX509CertList>& aIntermediates,
|
|
|
|
|
/* out */ nsCOMPtr<nsIX509Cert>& aEndEntity);
|
|
|
|
|
|
2006-01-10 05:07:47 +03:00
|
|
|
private:
|
2013-11-12 03:16:45 +04:00
|
|
|
virtual ~nsNSSCertList();
|
2015-03-21 19:28:04 +03:00
|
|
|
virtual void virtualDestroyNSSReference() override;
|
2013-11-12 03:16:45 +04:00
|
|
|
void destructorSafeDestroyNSSReference();
|
2012-11-12 21:42:28 +04:00
|
|
|
|
2016-05-06 00:56:36 +03:00
|
|
|
mozilla::UniqueCERTCertList mCertList;
|
2012-11-12 21:42:28 +04:00
|
|
|
|
2015-01-07 02:35:02 +03:00
|
|
|
nsNSSCertList(const nsNSSCertList&) = delete;
|
|
|
|
|
void operator=(const nsNSSCertList&) = delete;
|
2006-01-10 05:07:47 +03:00
|
|
|
};
|
|
|
|
|
|
2013-11-12 03:16:45 +04:00
|
|
|
class nsNSSCertListEnumerator: public nsISimpleEnumerator,
|
|
|
|
|
public nsNSSShutDownObject
|
2006-01-10 05:07:47 +03:00
|
|
|
{
|
|
|
|
|
public:
|
2013-07-19 06:24:14 +04:00
|
|
|
NS_DECL_THREADSAFE_ISUPPORTS
|
2006-01-10 05:07:47 +03:00
|
|
|
NS_DECL_NSISIMPLEENUMERATOR
|
|
|
|
|
|
2016-05-06 00:56:36 +03:00
|
|
|
nsNSSCertListEnumerator(const mozilla::UniqueCERTCertList& certList,
|
2014-01-22 05:30:44 +04:00
|
|
|
const nsNSSShutDownPreventionLock& proofOfLock);
|
2006-01-10 05:07:47 +03:00
|
|
|
private:
|
2013-11-12 03:16:45 +04:00
|
|
|
virtual ~nsNSSCertListEnumerator();
|
2015-03-21 19:28:04 +03:00
|
|
|
virtual void virtualDestroyNSSReference() override;
|
2013-11-12 03:16:45 +04:00
|
|
|
void destructorSafeDestroyNSSReference();
|
2012-11-12 21:42:28 +04:00
|
|
|
|
2016-05-06 00:56:36 +03:00
|
|
|
mozilla::UniqueCERTCertList mCertList;
|
2012-11-12 21:42:28 +04:00
|
|
|
|
2015-01-07 02:35:02 +03:00
|
|
|
nsNSSCertListEnumerator(const nsNSSCertListEnumerator&) = delete;
|
|
|
|
|
void operator=(const nsNSSCertListEnumerator&) = delete;
|
2006-01-10 05:07:47 +03:00
|
|
|
};
|
|
|
|
|
|
2007-08-23 22:59:12 +04:00
|
|
|
#define NS_X509CERT_CID { /* 660a3226-915c-4ffb-bb20-8985a632df05 */ \
|
|
|
|
|
0x660a3226, \
|
|
|
|
|
0x915c, \
|
|
|
|
|
0x4ffb, \
|
|
|
|
|
{ 0xbb, 0x20, 0x89, 0x85, 0xa6, 0x32, 0xdf, 0x05 } \
|
|
|
|
|
}
|
2001-05-16 03:15:12 +04:00
|
|
|
|
2016-05-06 00:56:36 +03:00
|
|
|
#endif // nsNSSCertificate_h
|
