PublicKeyPinningService.h (1809B)
1 /* This Source Code Form is subject to the terms of the Mozilla Public 2 * License, v. 2.0. If a copy of the MPL was not distributed with this 3 * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ 4 5 #ifndef PublicKeyPinningService_h 6 #define PublicKeyPinningService_h 7 8 #include "CertVerifier.h" 9 #include "nsIPublicKeyPinningService.h" 10 #include "nsString.h" 11 #include "nsTArray.h" 12 #include "mozilla/Span.h" 13 #include "mozpkix/Time.h" 14 15 namespace mozilla { 16 namespace psm { 17 18 class PublicKeyPinningService final : public nsIPublicKeyPinningService { 19 public: 20 PublicKeyPinningService() = default; 21 22 NS_DECL_THREADSAFE_ISUPPORTS 23 NS_DECL_NSIPUBLICKEYPINNINGSERVICE 24 25 /** 26 * Sets chainHasValidPins to true if the given (host, certList) passes pinning 27 * checks, or to false otherwise. If the host is pinned, returns true via 28 * chainHasValidPins if one of the keys in the given certificate chain matches 29 * the pin set specified by the hostname. The certList's head is the EE cert 30 * and the tail is the trust anchor. 31 * Note: if an alt name is a wildcard, it won't necessarily find a pinset 32 * that would otherwise be valid for it 33 */ 34 static nsresult ChainHasValidPins( 35 const nsTArray<Span<const uint8_t>>& certList, const char* hostname, 36 mozilla::pkix::Time time, bool isBuiltInRoot, 37 /*out*/ bool& chainHasValidPins, 38 /*optional out*/ PinningTelemetryInfo* pinningTelemetryInfo); 39 40 /** 41 * Given a hostname of potentially mixed case with potentially multiple 42 * trailing '.' (see bug 1118522), canonicalizes it to lowercase with no 43 * trailing '.'. 44 */ 45 static nsAutoCString CanonicalizeHostname(const char* hostname); 46 47 private: 48 ~PublicKeyPinningService() = default; 49 }; 50 51 } // namespace psm 52 } // namespace mozilla 53 54 #endif // PublicKeyPinningService_h