зеркало из https://github.com/mozilla/gecko-dev.git
55 строки
1.8 KiB
C++
55 строки
1.8 KiB
C++
/* This Source Code Form is subject to the terms of the Mozilla Public
|
|
* License, v. 2.0. If a copy of the MPL was not distributed with this
|
|
* file, You can obtain one at http://mozilla.org/MPL/2.0/. */
|
|
|
|
#ifndef PublicKeyPinningService_h
|
|
#define PublicKeyPinningService_h
|
|
|
|
#include "CertVerifier.h"
|
|
#include "nsIPublicKeyPinningService.h"
|
|
#include "nsString.h"
|
|
#include "nsTArray.h"
|
|
#include "mozilla/Span.h"
|
|
#include "mozpkix/Time.h"
|
|
|
|
namespace mozilla {
|
|
namespace psm {
|
|
|
|
class PublicKeyPinningService final : public nsIPublicKeyPinningService {
|
|
public:
|
|
PublicKeyPinningService() = default;
|
|
|
|
NS_DECL_THREADSAFE_ISUPPORTS
|
|
NS_DECL_NSIPUBLICKEYPINNINGSERVICE
|
|
|
|
/**
|
|
* Sets chainHasValidPins to true if the given (host, certList) passes pinning
|
|
* checks, or to false otherwise. If the host is pinned, returns true via
|
|
* chainHasValidPins if one of the keys in the given certificate chain matches
|
|
* the pin set specified by the hostname. The certList's head is the EE cert
|
|
* and the tail is the trust anchor.
|
|
* Note: if an alt name is a wildcard, it won't necessarily find a pinset
|
|
* that would otherwise be valid for it
|
|
*/
|
|
static nsresult ChainHasValidPins(
|
|
const nsTArray<Span<const uint8_t>>& certList, const char* hostname,
|
|
mozilla::pkix::Time time, bool isBuiltInRoot,
|
|
/*out*/ bool& chainHasValidPins,
|
|
/*optional out*/ PinningTelemetryInfo* pinningTelemetryInfo);
|
|
|
|
/**
|
|
* Given a hostname of potentially mixed case with potentially multiple
|
|
* trailing '.' (see bug 1118522), canonicalizes it to lowercase with no
|
|
* trailing '.'.
|
|
*/
|
|
static nsAutoCString CanonicalizeHostname(const char* hostname);
|
|
|
|
private:
|
|
~PublicKeyPinningService() = default;
|
|
};
|
|
|
|
} // namespace psm
|
|
} // namespace mozilla
|
|
|
|
#endif // PublicKeyPinningService_h
|