gecko-dev/security/certverifier/BRNameMatchingPolicy.h

Ignoring revisions in .git-blame-ignore-revs. Click here to bypass and see the normal blame view.

58 строки
2.3 KiB
C
Исходник Обычный вид История

/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
/* vim: set ts=8 sts=2 et sw=2 tw=80: */
/* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/. */
#ifndef BRNameMatchingPolicy_h
#define BRNameMatchingPolicy_h
#include "mozpkix/pkixtypes.h"
namespace mozilla {
namespace psm {
// According to the Baseline Requirements version 1.3.3 section 7.1.4.2.2.a,
// the requirements of the subject common name field are as follows:
// "If present, this field MUST contain a single IP address or FullyQualified
// Domain Name that is one of the values contained in the Certificates
// subjectAltName extension". Consequently, since any name information present
// in the common name must be present in the subject alternative name extension,
// when performing name matching, it should not be necessary to fall back to the
// common name. Because this consequence has not commonly been enforced, this
// implementation provides a mechanism to start enforcing it gradually while
// maintaining some backwards compatibility. If configured with the mode
// "EnforceAfter23August2016", name matching will only fall back to using the
// subject common name for certificates where the notBefore field is before 23
// August 2016. Similarly, the mode "EnforceAfter23August2015" is also
// available. This is to provide a balance between allowing preexisting
// long-lived certificates and detecting newly-issued problematic certificates.
// Note that this implementation does not actually directly enforce that if the
// subject common name is present, its value corresponds to a dNSName or
// iPAddress entry in the subject alternative name extension.
class BRNameMatchingPolicy : public mozilla::pkix::NameMatchingPolicy {
public:
enum class Mode {
DoNotEnforce = 0,
EnforceAfter23August2016 = 1,
EnforceAfter23August2015 = 2,
Enforce = 3,
};
explicit BRNameMatchingPolicy(Mode mode) : mMode(mode) {}
virtual mozilla::pkix::Result FallBackToCommonName(
mozilla::pkix::Time notBefore,
/*out*/ mozilla::pkix::FallBackToSearchWithinSubject&
fallBacktoCommonName) override;
private:
Mode mMode;
};
} // namespace psm
} // namespace mozilla
#endif // BRNameMatchingPolicy_h