2007-10-03 15:43:54 +04:00
|
|
|
/* -*- Mode: C++; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*-
|
|
|
|
|
*
|
2012-05-31 13:33:35 +04:00
|
|
|
* This Source Code Form is subject to the terms of the Mozilla Public
|
|
|
|
|
* License, v. 2.0. If a copy of the MPL was not distributed with this
|
|
|
|
|
* file, You can obtain one at http://mozilla.org/MPL/2.0/. */
|
2007-10-03 15:43:54 +04:00
|
|
|
|
2007-11-30 21:05:54 +03:00
|
|
|
#ifndef _NSSSLSTATUS_H
|
|
|
|
|
#define _NSSSLSTATUS_H
|
|
|
|
|
|
2016-09-28 20:19:56 +03:00
|
|
|
#include "CertVerifier.h" // For CertificateTransparencyInfo
|
2007-10-03 15:43:54 +04:00
|
|
|
#include "nsISSLStatus.h"
|
2012-10-18 00:48:36 +04:00
|
|
|
#include "nsCOMPtr.h"
|
2017-08-17 08:29:03 +03:00
|
|
|
#include "nsString.h"
|
2007-10-03 15:43:54 +04:00
|
|
|
#include "nsIX509Cert.h"
|
2017-10-26 19:52:11 +03:00
|
|
|
#include "nsIX509CertList.h"
|
2007-11-30 21:05:54 +03:00
|
|
|
#include "nsISerializable.h"
|
|
|
|
|
#include "nsIClassInfo.h"
|
2017-10-26 19:52:11 +03:00
|
|
|
#include "nsNSSCertificate.h"
|
|
|
|
|
#include "ScopedNSSTypes.h"
|
bug 1313491 - include more context when determining EV status r=Cykesiopka,jcj,mgoodwin
When doing TLS session resumption, the AuthCertificate hook is bypassed, which
means that the front-end doesn't know whether or not to show the EV indicator.
To deal with this, the platform attempts an EV verification. Before this patch,
this verification lacked much of the original context (e.g. stapled OCSP
responses, SCTs, the hostname, and in particular the first-party origin key).
Furthermore, it was unclear from a code architecture standpoint that a full
verification was even occurring. This patch brings the necessary context to the
verification and makes it much more clear that it is happening. It also takes
the opportunity to remove some unnecessary EV-related fields and information in
code and data structures that don't require it.
MozReview-Commit-ID: LTmZU4Z1YXL
--HG--
extra : rebase_source : 7db702f2037fae83c87fbb6aca75b4420544dff9
2016-11-01 03:02:57 +03:00
|
|
|
|
|
|
|
|
class nsNSSCertificate;
|
|
|
|
|
|
|
|
|
|
enum class EVStatus {
|
|
|
|
|
NotEV = 0,
|
|
|
|
|
EV = 1,
|
|
|
|
|
};
|
2007-10-03 15:43:54 +04:00
|
|
|
|
2015-03-21 19:28:04 +03:00
|
|
|
class nsSSLStatus final
|
2007-10-03 15:43:54 +04:00
|
|
|
: public nsISSLStatus
|
2007-11-30 21:05:54 +03:00
|
|
|
, public nsISerializable
|
|
|
|
|
, public nsIClassInfo
|
2007-10-03 15:43:54 +04:00
|
|
|
{
|
2014-06-24 02:40:03 +04:00
|
|
|
protected:
|
2018-01-25 01:29:08 +03:00
|
|
|
virtual ~nsSSLStatus() {}
|
2007-10-03 15:43:54 +04:00
|
|
|
public:
|
2013-07-19 06:24:14 +04:00
|
|
|
NS_DECL_THREADSAFE_ISUPPORTS
|
2007-10-03 15:43:54 +04:00
|
|
|
NS_DECL_NSISSLSTATUS
|
2007-11-30 21:05:54 +03:00
|
|
|
NS_DECL_NSISERIALIZABLE
|
|
|
|
|
NS_DECL_NSICLASSINFO
|
2007-10-03 15:43:54 +04:00
|
|
|
|
|
|
|
|
nsSSLStatus();
|
|
|
|
|
|
bug 1313491 - include more context when determining EV status r=Cykesiopka,jcj,mgoodwin
When doing TLS session resumption, the AuthCertificate hook is bypassed, which
means that the front-end doesn't know whether or not to show the EV indicator.
To deal with this, the platform attempts an EV verification. Before this patch,
this verification lacked much of the original context (e.g. stapled OCSP
responses, SCTs, the hostname, and in particular the first-party origin key).
Furthermore, it was unclear from a code architecture standpoint that a full
verification was even occurring. This patch brings the necessary context to the
verification and makes it much more clear that it is happening. It also takes
the opportunity to remove some unnecessary EV-related fields and information in
code and data structures that don't require it.
MozReview-Commit-ID: LTmZU4Z1YXL
--HG--
extra : rebase_source : 7db702f2037fae83c87fbb6aca75b4420544dff9
2016-11-01 03:02:57 +03:00
|
|
|
void SetServerCert(nsNSSCertificate* aServerCert, EVStatus aEVStatus);
|
2014-12-24 16:04:24 +03:00
|
|
|
|
2017-10-26 19:52:11 +03:00
|
|
|
nsresult SetSucceededCertChain(mozilla::UniqueCERTCertList certList);
|
|
|
|
|
void SetFailedCertChain(nsIX509CertList* x509CertList);
|
|
|
|
|
|
2014-12-24 16:04:24 +03:00
|
|
|
bool HasServerCert() {
|
|
|
|
|
return mServerCert != nullptr;
|
|
|
|
|
}
|
2007-10-03 15:43:54 +04:00
|
|
|
|
2016-09-28 20:19:56 +03:00
|
|
|
void SetCertificateTransparencyInfo(
|
|
|
|
|
const mozilla::psm::CertificateTransparencyInfo& info);
|
|
|
|
|
|
2014-12-24 16:04:24 +03:00
|
|
|
/* public for initilization in this file */
|
2014-10-24 15:53:34 +04:00
|
|
|
uint16_t mCipherSuite;
|
|
|
|
|
uint16_t mProtocolVersion;
|
2016-09-28 20:19:56 +03:00
|
|
|
uint16_t mCertificateTransparencyStatus;
|
2017-08-28 16:29:19 +03:00
|
|
|
nsCString mKeaGroup;
|
|
|
|
|
nsCString mSignatureSchemeName;
|
2007-10-03 15:43:54 +04:00
|
|
|
|
2011-09-29 10:19:26 +04:00
|
|
|
bool mIsDomainMismatch;
|
|
|
|
|
bool mIsNotValidAtThisTime;
|
|
|
|
|
bool mIsUntrusted;
|
2014-12-24 16:04:24 +03:00
|
|
|
bool mIsEV;
|
2007-10-03 15:43:54 +04:00
|
|
|
|
2014-12-24 16:04:24 +03:00
|
|
|
bool mHasIsEVStatus;
|
2014-10-24 15:53:34 +04:00
|
|
|
bool mHaveCipherSuiteAndProtocol;
|
2011-12-13 19:55:50 +04:00
|
|
|
|
|
|
|
|
/* mHaveCertErrrorBits is relied on to determine whether or not a SPDY
|
|
|
|
|
connection is eligible for joining in nsNSSSocketInfo::JoinConnection() */
|
2011-09-29 10:19:26 +04:00
|
|
|
bool mHaveCertErrorBits;
|
2014-12-24 16:04:24 +03:00
|
|
|
|
|
|
|
|
private:
|
|
|
|
|
nsCOMPtr<nsIX509Cert> mServerCert;
|
2017-10-26 19:52:11 +03:00
|
|
|
nsCOMPtr<nsIX509CertList> mSucceededCertChain;
|
|
|
|
|
nsCOMPtr<nsIX509CertList> mFailedCertChain;
|
2007-10-03 15:43:54 +04:00
|
|
|
};
|
2007-11-30 21:05:54 +03:00
|
|
|
|
|
|
|
|
#define NS_SSLSTATUS_CID \
|
2014-12-24 16:04:24 +03:00
|
|
|
{ 0xe2f14826, 0x9e70, 0x4647, \
|
|
|
|
|
{ 0xb2, 0x3f, 0x10, 0x10, 0xf5, 0x12, 0x46, 0x28 } }
|
2007-11-30 21:05:54 +03:00
|
|
|
|
|
|
|
|
#endif
|
