/src/mozilla-central/security/certverifier/BRNameMatchingPolicy.h

Source (jump to first uncovered line)
/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
/* vim: set ts=8 sts=2 et sw=2 tw=80: */
/* This Source Code Form is subject to the terms of the Mozilla Public
 * License, v. 2.0. If a copy of the MPL was not distributed with this
 * file, You can obtain one at http://mozilla.org/MPL/2.0/. */

#ifndef BRNameMatchingPolicy_h
#define BRNameMatchingPolicy_h

#include "pkix/pkixtypes.h"

namespace mozilla { namespace psm {

// According to the Baseline Requirements version 1.3.3 section 7.1.4.2.2.a,
// the requirements of the subject common name field are as follows:
// "If present, this field MUST contain a single IP address or Fully‐Qualified
// Domain Name that is one of the values contained in the Certificate’s
// subjectAltName extension". Consequently, since any name information present
// in the common name must be present in the subject alternative name extension,
// when performing name matching, it should not be necessary to fall back to the
// common name. Because this consequence has not commonly been enforced, this
// implementation provides a mechanism to start enforcing it gradually while
// maintaining some backwards compatibility. If configured with the mode
// "EnforceAfter23August2016", name matching will only fall back to using the
// subject common name for certificates where the notBefore field is before 23
// August 2016. Similarly, the mode "EnforceAfter23August2015" is also
// available. This is to provide a balance between allowing preexisting
// long-lived certificates and detecting newly-issued problematic certificates.
// Note that this implementation does not actually directly enforce that if the
// subject common name is present, its value corresponds to a dNSName or
// iPAddress entry in the subject alternative name extension.

class BRNameMatchingPolicy : public mozilla::pkix::NameMatchingPolicy
{
public:
  enum class Mode {
    DoNotEnforce = 0,
    EnforceAfter23August2016 = 1,
    EnforceAfter23August2015 = 2,
    Enforce = 3,
  };

  explicit BRNameMatchingPolicy(Mode mode)
    : mMode(mode)
  {
  }

  virtual mozilla::pkix::Result FallBackToCommonName(
    mozilla::pkix::Time notBefore,
    /*out*/ mozilla::pkix::FallBackToSearchWithinSubject& fallBacktoCommonName)
    override;

private:
  Mode mMode;
};

} } // namespace mozilla::psm

#endif // BRNameMatchingPolicy_h

Coverage Report

Created: 2018-09-25 14:53

Line	Count	Source (jump to first uncovered line)
1		/* -- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -- */
2		/* vim: set ts=8 sts=2 et sw=2 tw=80: */
3		/* This Source Code Form is subject to the terms of the Mozilla Public
4		* License, v. 2.0. If a copy of the MPL was not distributed with this
5		* file, You can obtain one at http://mozilla.org/MPL/2.0/. */
6
7		#ifndef BRNameMatchingPolicy_h
8		#define BRNameMatchingPolicy_h
9
10		#include "pkix/pkixtypes.h"
11
12		namespace mozilla { namespace psm {
13
14		// According to the Baseline Requirements version 1.3.3 section 7.1.4.2.2.a,
15		// the requirements of the subject common name field are as follows:
16		// "If present, this field MUST contain a single IP address or Fully‐Qualified
17		// Domain Name that is one of the values contained in the Certificate’s
18		// subjectAltName extension". Consequently, since any name information present
19		// in the common name must be present in the subject alternative name extension,
20		// when performing name matching, it should not be necessary to fall back to the
21		// common name. Because this consequence has not commonly been enforced, this
22		// implementation provides a mechanism to start enforcing it gradually while
23		// maintaining some backwards compatibility. If configured with the mode
24		// "EnforceAfter23August2016", name matching will only fall back to using the
25		// subject common name for certificates where the notBefore field is before 23
26		// August 2016. Similarly, the mode "EnforceAfter23August2015" is also
27		// available. This is to provide a balance between allowing preexisting
28		// long-lived certificates and detecting newly-issued problematic certificates.
29		// Note that this implementation does not actually directly enforce that if the
30		// subject common name is present, its value corresponds to a dNSName or
31		// iPAddress entry in the subject alternative name extension.
32
33		class BRNameMatchingPolicy : public mozilla::pkix::NameMatchingPolicy
34		{
35		public:
36		enum class Mode {
37		DoNotEnforce = 0,
38		EnforceAfter23August2016 = 1,
39		EnforceAfter23August2015 = 2,
40		Enforce = 3,
41		};
42
43		explicit BRNameMatchingPolicy(Mode mode)
44		: mMode(mode)
45	0	{
46	0	}
47
48		virtual mozilla::pkix::Result FallBackToCommonName(
49		mozilla::pkix::Time notBefore,
50		/out/ mozilla::pkix::FallBackToSearchWithinSubject& fallBacktoCommonName)
51		override;
52
53		private:
54		Mode mMode;
55		};
56
57		} } // namespace mozilla::psm
58
59		#endif // BRNameMatchingPolicy_h