mirror of
https://gitlab.winehq.org/wine/wine-gecko.git
synced 2024-09-13 09:24:08 -07:00
Bug 921891, Part 1: Add insanity::pkix::Result and insanity::pkix::TrustDomain, r=keeler, r=cviecco
--HG-- extra : rebase_source : 2157dbe076e0f50d7c618964804fd17d7e735904 extra : source : 682de9276170560ac62d5bc5ffbe5b707060321b
This commit is contained in:
parent
6d9cce8656
commit
da7f929c3d
@ -1,18 +1,18 @@
|
||||
/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
|
||||
/* vim: set ts=8 sts=2 et sw=2 tw=80: */
|
||||
/* Copyright 2012 Mozilla Foundation
|
||||
*
|
||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||
* you may not use this file except in compliance with the License.
|
||||
* You may obtain a copy of the License at
|
||||
*
|
||||
* http://www.apache.org/licenses/LICENSE-2.0
|
||||
*
|
||||
* Unless required by applicable law or agreed to in writing, software
|
||||
* distributed under the License is distributed on an "AS IS" BASIS,
|
||||
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
* See the License for the specific language governing permissions and
|
||||
* limitations under the License.
|
||||
/* Copyright 2012 Mozilla Foundation
|
||||
*
|
||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||
* you may not use this file except in compliance with the License.
|
||||
* You may obtain a copy of the License at
|
||||
*
|
||||
* http://www.apache.org/licenses/LICENSE-2.0
|
||||
*
|
||||
* Unless required by applicable law or agreed to in writing, software
|
||||
* distributed under the License is distributed on an "AS IS" BASIS,
|
||||
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
* See the License for the specific language governing permissions and
|
||||
* limitations under the License.
|
||||
*/
|
||||
|
||||
#ifndef insanity_pkix__pkixtypes_h
|
||||
@ -33,6 +33,60 @@ typedef ScopedPtr<CERTCertList, CERT_DestroyCertList> ScopedCERTCertList;
|
||||
typedef ScopedPtr<SECKEYPublicKey, SECKEY_DestroyPublicKey>
|
||||
ScopedSECKEYPublicKey;
|
||||
|
||||
typedef unsigned int KeyUsages;
|
||||
|
||||
enum EndEntityOrCA { MustBeEndEntity, MustBeCA };
|
||||
|
||||
// Applications control the behavior of path building and verification by
|
||||
// implementing the TrustDomain interface. The TrustDomain is used for all
|
||||
// cryptography and for determining which certificates are trusted or
|
||||
// distrusted.
|
||||
class TrustDomain
|
||||
{
|
||||
public:
|
||||
virtual ~TrustDomain() { }
|
||||
|
||||
enum TrustLevel {
|
||||
TrustAnchor = 1, // certificate is a trusted root CA certificate or
|
||||
// equivalent
|
||||
ActivelyDistrusted = 2, // certificate is known to be bad
|
||||
InheritsTrust = 3 // certificate must chain to a trust anchor
|
||||
};
|
||||
|
||||
// Determine the level of trust in the given certificate for the given role.
|
||||
// This will be called for every certificate encountered during path
|
||||
// building.
|
||||
virtual SECStatus GetCertTrust(EndEntityOrCA endEntityOrCA,
|
||||
const CERTCertificate* candidateCert,
|
||||
/*out*/ TrustLevel* trustLevel) = 0;
|
||||
|
||||
// Find all certificates (intermediate and/or root) in the certificate
|
||||
// database that have a subject name matching |encodedIssuerName| at
|
||||
// the given time. Certificates where the given time is not within the
|
||||
// certificate's validity period may be excluded. The results should be
|
||||
// added to the |results| certificate list.
|
||||
virtual SECStatus FindPotentialIssuers(const SECItem* encodedIssuerName,
|
||||
PRTime time,
|
||||
/*out*/ ScopedCERTCertList& results) = 0;
|
||||
|
||||
// Verify the given signature using the public key of the given certificate.
|
||||
// The implementation should be careful to ensure that the given certificate
|
||||
// has all the public key information needed--i.e. it should ensure that the
|
||||
// certificate is not trying to use EC(DSA) parameter inheritance.
|
||||
//
|
||||
// Most implementations of this function should probably forward the call
|
||||
// directly to insanity::pkix::VerifySignedData.
|
||||
virtual SECStatus VerifySignedData(const CERTSignedData* signedData,
|
||||
const CERTCertificate* cert) = 0;
|
||||
|
||||
protected:
|
||||
TrustDomain() { }
|
||||
|
||||
private:
|
||||
TrustDomain(const TrustDomain&) /* = delete */;
|
||||
void operator=(const TrustDomain&) /* = delete */;
|
||||
};
|
||||
|
||||
} } // namespace insanity::pkix
|
||||
|
||||
#endif // insanity_pkix__pkixtypes_h
|
||||
|
72
security/insanity/lib/pkixutil.h
Normal file
72
security/insanity/lib/pkixutil.h
Normal file
@ -0,0 +1,72 @@
|
||||
/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
|
||||
/* vim: set ts=8 sts=2 et sw=2 tw=80: */
|
||||
/* Copyright 2013 Mozilla Foundation
|
||||
*
|
||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||
* you may not use this file except in compliance with the License.
|
||||
* You may obtain a copy of the License at
|
||||
*
|
||||
* http://www.apache.org/licenses/LICENSE-2.0
|
||||
*
|
||||
* Unless required by applicable law or agreed to in writing, software
|
||||
* distributed under the License is distributed on an "AS IS" BASIS,
|
||||
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
* See the License for the specific language governing permissions and
|
||||
* limitations under the License.
|
||||
*/
|
||||
|
||||
#ifndef insanity_pkix__pkixutil_h
|
||||
#define insanity_pkix__pkixutil_h
|
||||
|
||||
#include "insanity/pkixtypes.h"
|
||||
#include "prerror.h"
|
||||
#include "seccomon.h"
|
||||
#include "secerr.h"
|
||||
|
||||
namespace insanity { namespace pkix {
|
||||
|
||||
enum Result
|
||||
{
|
||||
Success = 0,
|
||||
FatalError = -1, // An error was encountered that caused path building
|
||||
// to stop immediately. example: out-of-memory.
|
||||
RecoverableError = -2 // an error that will cause path building to continue
|
||||
// searching for alternative paths. example: expired
|
||||
// certificate.
|
||||
};
|
||||
|
||||
// When returning errors, use this function instead of calling PR_SetError
|
||||
// directly. This helps ensure that we always call PR_SetError when we return
|
||||
// an error code. This is a useful place to set a breakpoint when a debugging
|
||||
// a certificate verification failure.
|
||||
inline Result
|
||||
Fail(Result result, PRErrorCode errorCode)
|
||||
{
|
||||
PR_ASSERT(result != Success);
|
||||
PR_SetError(errorCode, 0);
|
||||
return result;
|
||||
}
|
||||
|
||||
inline Result
|
||||
MapSECStatus(SECStatus srv)
|
||||
{
|
||||
if (srv == SECSuccess) {
|
||||
return Success;
|
||||
}
|
||||
|
||||
PRErrorCode error = PORT_GetError();
|
||||
switch (error) {
|
||||
case SEC_ERROR_EXTENSION_NOT_FOUND:
|
||||
return RecoverableError;
|
||||
|
||||
case SEC_ERROR_LIBRARY_FAILURE:
|
||||
case SEC_ERROR_NO_MEMORY:
|
||||
return FatalError;
|
||||
}
|
||||
|
||||
// TODO: PORT_Assert(false); // we haven't classified the error yet
|
||||
return RecoverableError;
|
||||
}
|
||||
} } // namespace insanity::pkix
|
||||
|
||||
#endif // insanity_pkix__pkixutil_h
|
Loading…
Reference in New Issue
Block a user