/src/mozilla-central/security/certverifier/OCSPCache.h

Source (jump to first uncovered line)
/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
/* vim: set ts=8 sts=2 et sw=2 tw=80: */
/* This code is made available to you under your choice of the following sets
 * of licensing terms:
 */
/* This Source Code Form is subject to the terms of the Mozilla Public
 * License, v. 2.0. If a copy of the MPL was not distributed with this
 * file, You can obtain one at http://mozilla.org/MPL/2.0/.
 */
/* Copyright 2013 Mozilla Contributors
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
 * You may obtain a copy of the License at
 *
 *     http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 */

#ifndef mozilla_psm_OCSPCache_h
#define mozilla_psm_OCSPCache_h

#include "hasht.h"
#include "mozilla/Mutex.h"
#include "mozilla/Vector.h"
#include "pkix/Result.h"
#include "pkix/Time.h"
#include "prerror.h"
#include "seccomon.h"

namespace mozilla {
class OriginAttributes;
}

namespace mozilla { namespace pkix {
struct CertID;
} } // namespace mozilla::pkix

namespace mozilla { namespace psm {

// make SHA384Buffer be of type "array of uint8_t of length SHA384_LENGTH"
typedef uint8_t SHA384Buffer[SHA384_LENGTH];

// OCSPCache can store and retrieve OCSP response verification results. Each
// result is keyed on the certificate that purportedly corresponds to it (where
// certificates are distinguished based on serial number, issuer, and
// issuer public key, much like in an encoded OCSP response itself). A maximum
// of 1024 distinct entries can be stored.
// OCSPCache is thread-safe.
class OCSPCache
{
public:
  OCSPCache();
  ~OCSPCache();

  // Returns true if the status of the given certificate (issued by the given
  // issuer) is in the cache, and false otherwise.
  // If it is in the cache, returns by reference the error code of the cached
  // status and the time through which the status is considered trustworthy.
  // The passed in origin attributes are used to isolate the OCSP cache.
  // We currently only use the first party domain portion of the attributes, and
  // it is non-empty only when "privacy.firstParty.isolate" is enabled.
  bool Get(const mozilla::pkix::CertID& aCertID,
           const OriginAttributes& aOriginAttributes,
           /*out*/ mozilla::pkix::Result& aResult,
           /*out*/ mozilla::pkix::Time& aValidThrough);

  // Caches the status of the given certificate (issued by the given issuer).
  // The status is considered trustworthy through the given time.
  // A status with an error code of SEC_ERROR_REVOKED_CERTIFICATE will not
  // be replaced or evicted.
  // A status with an error code of SEC_ERROR_OCSP_UNKNOWN_CERT will not
  // be evicted when the cache is full.
  // A status with a more recent thisUpdate will not be replaced with a
  // status with a less recent thisUpdate unless the less recent status
  // indicates the certificate is revoked.
  // The passed in origin attributes are used to isolate the OCSP cache.
  // We currently only use the first party domain portion of the attributes, and
  // it is non-empty only when "privacy.firstParty.isolate" is enabled.
  mozilla::pkix::Result Put(const mozilla::pkix::CertID& aCertID,
                            const OriginAttributes& aOriginAttributes,
                            mozilla::pkix::Result aResult,
                            mozilla::pkix::Time aThisUpdate,
                            mozilla::pkix::Time aValidThrough);

  // Removes everything from the cache.
  void Clear();

private:
  class Entry
  {
  public:
    Entry(mozilla::pkix::Result aResult,
          mozilla::pkix::Time aThisUpdate,
          mozilla::pkix::Time aValidThrough)
      : mResult(aResult)
      , mThisUpdate(aThisUpdate)
      , mValidThrough(aValidThrough)
    {
    }
    mozilla::pkix::Result Init(const mozilla::pkix::CertID& aCertID,
                               const OriginAttributes& aOriginAttributes);

    mozilla::pkix::Result mResult;
    mozilla::pkix::Time mThisUpdate;
    mozilla::pkix::Time mValidThrough;
    // The SHA-384 hash of the concatenation of the DER encodings of the
    // issuer name and issuer key, followed by the length of the serial number,
    // the serial number, the length of the first party domain, and the first
    // party domain (if "privacy.firstparty.isolate" is enabled).
    // See the documentation for CertIDHash in OCSPCache.cpp.
    SHA384Buffer mIDHash;
  };

  bool FindInternal(const mozilla::pkix::CertID& aCertID,
                    const OriginAttributes& aOriginAttributes,
                    /*out*/ size_t& index,
                    const MutexAutoLock& aProofOfLock);
  void MakeMostRecentlyUsed(size_t aIndex, const MutexAutoLock& aProofOfLock);

  Mutex mMutex;
  static const size_t MaxEntries = 1024;
  // Sorted with the most-recently-used entry at the end.
  // Using 256 here reserves as much possible inline storage as the vector
  // implementation will give us. 1024 bytes is the maximum it allows,
  // which results in 256 Entry pointers or 128 Entry pointers, depending
  // on the size of a pointer.
  Vector<Entry*, 256> mEntries;
};

} } // namespace mozilla::psm

#endif // mozilla_psm_OCSPCache_h

Coverage Report

Created: 2018-09-25 14:53

Line	Count	Source (jump to first uncovered line)
1		/* -- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -- */
2		/* vim: set ts=8 sts=2 et sw=2 tw=80: */
3		/* This code is made available to you under your choice of the following sets
4		* of licensing terms:
5		*/
6		/* This Source Code Form is subject to the terms of the Mozilla Public
7		* License, v. 2.0. If a copy of the MPL was not distributed with this
8		* file, You can obtain one at http://mozilla.org/MPL/2.0/.
9		*/
10		/* Copyright 2013 Mozilla Contributors
11		*
12		* Licensed under the Apache License, Version 2.0 (the "License");
13		* you may not use this file except in compliance with the License.
14		* You may obtain a copy of the License at
15		*
16		* http://www.apache.org/licenses/LICENSE-2.0
17		*
18		* Unless required by applicable law or agreed to in writing, software
19		* distributed under the License is distributed on an "AS IS" BASIS,
20		* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
21		* See the License for the specific language governing permissions and
22		* limitations under the License.
23		*/
24
25		#ifndef mozilla_psm_OCSPCache_h
26		#define mozilla_psm_OCSPCache_h
27
28		#include "hasht.h"
29		#include "mozilla/Mutex.h"
30		#include "mozilla/Vector.h"
31		#include "pkix/Result.h"
32		#include "pkix/Time.h"
33		#include "prerror.h"
34		#include "seccomon.h"
35
36		namespace mozilla {
37		class OriginAttributes;
38		}
39
40		namespace mozilla { namespace pkix {
41		struct CertID;
42		} } // namespace mozilla::pkix
43
44		namespace mozilla { namespace psm {
45
46		// make SHA384Buffer be of type "array of uint8_t of length SHA384_LENGTH"
47		typedef uint8_t SHA384Buffer[SHA384_LENGTH];
48
49		// OCSPCache can store and retrieve OCSP response verification results. Each
50		// result is keyed on the certificate that purportedly corresponds to it (where
51		// certificates are distinguished based on serial number, issuer, and
52		// issuer public key, much like in an encoded OCSP response itself). A maximum
53		// of 1024 distinct entries can be stored.
54		// OCSPCache is thread-safe.
55		class OCSPCache
56		{
57		public:
58		OCSPCache();
59		~OCSPCache();
60
61		// Returns true if the status of the given certificate (issued by the given
62		// issuer) is in the cache, and false otherwise.
63		// If it is in the cache, returns by reference the error code of the cached
64		// status and the time through which the status is considered trustworthy.
65		// The passed in origin attributes are used to isolate the OCSP cache.
66		// We currently only use the first party domain portion of the attributes, and
67		// it is non-empty only when "privacy.firstParty.isolate" is enabled.
68		bool Get(const mozilla::pkix::CertID& aCertID,
69		const OriginAttributes& aOriginAttributes,
70		/out/ mozilla::pkix::Result& aResult,
71		/out/ mozilla::pkix::Time& aValidThrough);
72
73		// Caches the status of the given certificate (issued by the given issuer).
74		// The status is considered trustworthy through the given time.
75		// A status with an error code of SEC_ERROR_REVOKED_CERTIFICATE will not
76		// be replaced or evicted.
77		// A status with an error code of SEC_ERROR_OCSP_UNKNOWN_CERT will not
78		// be evicted when the cache is full.
79		// A status with a more recent thisUpdate will not be replaced with a
80		// status with a less recent thisUpdate unless the less recent status
81		// indicates the certificate is revoked.
82		// The passed in origin attributes are used to isolate the OCSP cache.
83		// We currently only use the first party domain portion of the attributes, and
84		// it is non-empty only when "privacy.firstParty.isolate" is enabled.
85		mozilla::pkix::Result Put(const mozilla::pkix::CertID& aCertID,
86		const OriginAttributes& aOriginAttributes,
87		mozilla::pkix::Result aResult,
88		mozilla::pkix::Time aThisUpdate,
89		mozilla::pkix::Time aValidThrough);
90
91		// Removes everything from the cache.
92		void Clear();
93
94		private:
95		class Entry
96		{
97		public:
98		Entry(mozilla::pkix::Result aResult,
99		mozilla::pkix::Time aThisUpdate,
100		mozilla::pkix::Time aValidThrough)
101		: mResult(aResult)
102		, mThisUpdate(aThisUpdate)
103		, mValidThrough(aValidThrough)
104	0	{
105	0	}
106		mozilla::pkix::Result Init(const mozilla::pkix::CertID& aCertID,
107		const OriginAttributes& aOriginAttributes);
108
109		mozilla::pkix::Result mResult;
110		mozilla::pkix::Time mThisUpdate;
111		mozilla::pkix::Time mValidThrough;
112		// The SHA-384 hash of the concatenation of the DER encodings of the
113		// issuer name and issuer key, followed by the length of the serial number,
114		// the serial number, the length of the first party domain, and the first
115		// party domain (if "privacy.firstparty.isolate" is enabled).
116		// See the documentation for CertIDHash in OCSPCache.cpp.
117		SHA384Buffer mIDHash;
118		};
119
120		bool FindInternal(const mozilla::pkix::CertID& aCertID,
121		const OriginAttributes& aOriginAttributes,
122		/out/ size_t& index,
123		const MutexAutoLock& aProofOfLock);
124		void MakeMostRecentlyUsed(size_t aIndex, const MutexAutoLock& aProofOfLock);
125
126		Mutex mMutex;
127		static const size_t MaxEntries = 1024;
128		// Sorted with the most-recently-used entry at the end.
129		// Using 256 here reserves as much possible inline storage as the vector
130		// implementation will give us. 1024 bytes is the maximum it allows,
131		// which results in 256 Entry pointers or 128 Entry pointers, depending
132		// on the size of a pointer.
133		Vector<Entry*, 256> mEntries;
134		};
135
136		} } // namespace mozilla::psm
137
138		#endif // mozilla_psm_OCSPCache_h