nagai/fune
3
0
Fork 0
forked from mirrors/gecko-dev
Code Pull requests Activity
fune/security/manager/ssl/PublicKeyPinningService.h
Dana Keeler ef0a88c6f2 Bug 1715142 - introduce nsIPublicKeyPinningService and remove 'type' parameter from nsISiteSecurityService r=rmf,necko-reviewers 
The public key pinning implementation is much less complex than the HSTS
implementation, and only needs a small subset of the parameters of the latter.
Furthermore, the information it relies on is static, and so is safe to access
from content processes. This patch separates the two implementations, thus
simplifying both of them and avoiding some unnecessary IPC calls in the
process.

Differential Revision: https://phabricator.services.mozilla.com/D117096
2021-06-12 01:12:25 +00:00

54 lines
1.8 KiB
C++
Raw Blame History

/* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/. */
#ifndef PublicKeyPinningService_h
#define PublicKeyPinningService_h
#include "CertVerifier.h"
#include "nsIPublicKeyPinningService.h"
#include "nsString.h"
#include "nsTArray.h"
#include "mozilla/Span.h"
#include "mozpkix/Time.h"
namespace mozilla {
namespace psm {
class PublicKeyPinningService final : public nsIPublicKeyPinningService {
public:
PublicKeyPinningService() = default;
NS_DECL_THREADSAFE_ISUPPORTS
NS_DECL_NSIPUBLICKEYPINNINGSERVICE
/**
* Sets chainHasValidPins to true if the given (host, certList) passes pinning
* checks, or to false otherwise. If the host is pinned, returns true via
* chainHasValidPins if one of the keys in the given certificate chain matches
* the pin set specified by the hostname. The certList's head is the EE cert
* and the tail is the trust anchor.
* Note: if an alt name is a wildcard, it won't necessarily find a pinset
* that would otherwise be valid for it
*/
static nsresult ChainHasValidPins(
const nsTArray<Span<const uint8_t>>& certList, const char* hostname,
mozilla::pkix::Time time, bool isBuiltInRoot,
/*out*/ bool& chainHasValidPins,
/*optional out*/ PinningTelemetryInfo* pinningTelemetryInfo);
/**
* Given a hostname of potentially mixed case with potentially multiple
* trailing '.' (see bug 1118522), canonicalizes it to lowercase with no
* trailing '.'.
*/
static nsAutoCString CanonicalizeHostname(const char* hostname);
private:
~PublicKeyPinningService() = default;
};
} // namespace psm
} // namespace mozilla
#endif // PublicKeyPinningService_h
View git blame Copy permalink