OCSPCache.h (5560B)
1 /* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */ 2 /* vim: set ts=8 sts=2 et sw=2 tw=80: */ 3 /* This code is made available to you under your choice of the following sets 4 * of licensing terms: 5 */ 6 /* This Source Code Form is subject to the terms of the Mozilla Public 7 * License, v. 2.0. If a copy of the MPL was not distributed with this 8 * file, You can obtain one at http://mozilla.org/MPL/2.0/. 9 */ 10 /* Copyright 2013 Mozilla Contributors 11 * 12 * Licensed under the Apache License, Version 2.0 (the "License"); 13 * you may not use this file except in compliance with the License. 14 * You may obtain a copy of the License at 15 * 16 * http://www.apache.org/licenses/LICENSE-2.0 17 * 18 * Unless required by applicable law or agreed to in writing, software 19 * distributed under the License is distributed on an "AS IS" BASIS, 20 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 21 * See the License for the specific language governing permissions and 22 * limitations under the License. 23 */ 24 25 #ifndef mozilla_psm_OCSPCache_h 26 #define mozilla_psm_OCSPCache_h 27 28 #include "hasht.h" 29 #include "mozilla/Mutex.h" 30 #include "mozilla/Vector.h" 31 #include "mozpkix/Result.h" 32 #include "mozpkix/Time.h" 33 #include "prerror.h" 34 #include "seccomon.h" 35 36 namespace mozilla { 37 class OriginAttributes; 38 } 39 40 namespace mozilla { 41 namespace pkix { 42 struct CertID; 43 } 44 } // namespace mozilla 45 46 namespace mozilla { 47 namespace psm { 48 49 // make SHA384Buffer be of type "array of uint8_t of length SHA384_LENGTH" 50 typedef uint8_t SHA384Buffer[SHA384_LENGTH]; 51 52 // OCSPCache can store and retrieve OCSP response verification results. Each 53 // result is keyed on the certificate that purportedly corresponds to it (where 54 // certificates are distinguished based on serial number, issuer, and 55 // issuer public key, much like in an encoded OCSP response itself). A maximum 56 // of 1024 distinct entries can be stored. 57 // OCSPCache is thread-safe. 58 class OCSPCache { 59 public: 60 OCSPCache(); 61 ~OCSPCache(); 62 63 // Returns true if the status of the given certificate (issued by the given 64 // issuer) is in the cache, and false otherwise. 65 // If it is in the cache, returns by reference the error code of the cached 66 // status and the time through which the status is considered trustworthy. 67 // The passed in origin attributes are used to isolate the OCSP cache. 68 // We currently only use the first party domain portion of the attributes, and 69 // it is non-empty only when "privacy.firstParty.isolate" is enabled. 70 bool Get(const mozilla::pkix::CertID& aCertID, 71 const OriginAttributes& aOriginAttributes, 72 /*out*/ mozilla::pkix::Result& aResult, 73 /*out*/ mozilla::pkix::Time& aValidThrough); 74 75 // Caches the status of the given certificate (issued by the given issuer). 76 // The status is considered trustworthy through the given time. 77 // A status with an error code of SEC_ERROR_REVOKED_CERTIFICATE will not 78 // be replaced or evicted. 79 // A status with an error code of SEC_ERROR_OCSP_UNKNOWN_CERT will not 80 // be evicted when the cache is full. 81 // A status with a more recent thisUpdate will not be replaced with a 82 // status with a less recent thisUpdate unless the less recent status 83 // indicates the certificate is revoked. 84 // The passed in origin attributes are used to isolate the OCSP cache. 85 // We currently only use the first party domain portion of the attributes, and 86 // it is non-empty only when "privacy.firstParty.isolate" is enabled. 87 mozilla::pkix::Result Put(const mozilla::pkix::CertID& aCertID, 88 const OriginAttributes& aOriginAttributes, 89 mozilla::pkix::Result aResult, 90 mozilla::pkix::Time aThisUpdate, 91 mozilla::pkix::Time aValidThrough); 92 93 // Removes everything from the cache. 94 void Clear(); 95 96 private: 97 class Entry { 98 public: 99 Entry(mozilla::pkix::Result aResult, mozilla::pkix::Time aThisUpdate, 100 mozilla::pkix::Time aValidThrough) 101 : mResult(aResult), 102 mThisUpdate(aThisUpdate), 103 mValidThrough(aValidThrough) {} 104 mozilla::pkix::Result Init(const mozilla::pkix::CertID& aCertID, 105 const OriginAttributes& aOriginAttributes); 106 107 mozilla::pkix::Result mResult; 108 mozilla::pkix::Time mThisUpdate; 109 mozilla::pkix::Time mValidThrough; 110 // The SHA-384 hash of the concatenation of the DER encodings of the 111 // issuer name and issuer key, followed by the length of the serial number, 112 // the serial number, the length of the first party domain, and the first 113 // party domain (if "privacy.firstparty.isolate" is enabled). 114 // See the documentation for CertIDHash in OCSPCache.cpp. 115 SHA384Buffer mIDHash; 116 }; 117 118 bool FindInternal(const mozilla::pkix::CertID& aCertID, 119 const OriginAttributes& aOriginAttributes, 120 /*out*/ size_t& index, const MutexAutoLock& aProofOfLock); 121 void MakeMostRecentlyUsed(size_t aIndex, const MutexAutoLock& aProofOfLock); 122 123 Mutex mMutex; 124 static const size_t MaxEntries = 1024; 125 // Sorted with the most-recently-used entry at the end. 126 // Using 256 here reserves as much possible inline storage as the vector 127 // implementation will give us. 1024 bytes is the maximum it allows, 128 // which results in 256 Entry pointers or 128 Entry pointers, depending 129 // on the size of a pointer. 130 Vector<Entry*, 256> mEntries MOZ_GUARDED_BY(mMutex); 131 }; 132 133 } // namespace psm 134 } // namespace mozilla 135 136 #endif // mozilla_psm_OCSPCache_h