/src/mozilla-central/security/manager/ssl/nsNSSCertificate.h
Line | Count | Source (jump to first uncovered line) |
1 | | /* -*- Mode: C++; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*- */ |
2 | | /* This Source Code Form is subject to the terms of the Mozilla Public |
3 | | * License, v. 2.0. If a copy of the MPL was not distributed with this |
4 | | * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ |
5 | | |
6 | | #ifndef nsNSSCertificate_h |
7 | | #define nsNSSCertificate_h |
8 | | |
9 | | #include <functional> |
10 | | #include <vector> |
11 | | |
12 | | #include "ScopedNSSTypes.h" |
13 | | #include "certt.h" |
14 | | #include "nsCOMPtr.h" |
15 | | #include "nsIASN1Object.h" |
16 | | #include "nsIClassInfo.h" |
17 | | #include "nsISerializable.h" |
18 | | #include "nsIX509Cert.h" |
19 | | #include "nsIX509CertDB.h" |
20 | | #include "nsIX509CertList.h" |
21 | | #include "nsSimpleEnumerator.h" |
22 | | #include "nsStringFwd.h" |
23 | | |
24 | | namespace mozilla { namespace pkix { class DERArray; } } |
25 | | |
26 | | class nsINSSComponent; |
27 | | class nsIASN1Sequence; |
28 | | |
29 | | class nsNSSCertificate final : public nsIX509Cert |
30 | | , public nsISerializable |
31 | | , public nsIClassInfo |
32 | | { |
33 | | public: |
34 | | NS_DECL_THREADSAFE_ISUPPORTS |
35 | | NS_DECL_NSIX509CERT |
36 | | NS_DECL_NSISERIALIZABLE |
37 | | NS_DECL_NSICLASSINFO |
38 | | |
39 | | explicit nsNSSCertificate(CERTCertificate* cert); |
40 | | nsNSSCertificate(); |
41 | | static nsNSSCertificate* Create(CERTCertificate* cert = nullptr); |
42 | | static nsNSSCertificate* ConstructFromDER(char* certDER, int derLen); |
43 | | |
44 | | // This is a separate static method so nsNSSComponent can use it during NSS |
45 | | // initialization. Other code should probably not use it. |
46 | | static nsresult GetDbKey(const mozilla::UniqueCERTCertificate& cert, |
47 | | nsACString& aDbKey); |
48 | | |
49 | | private: |
50 | | virtual ~nsNSSCertificate(); |
51 | | |
52 | | mozilla::UniqueCERTCertificate mCert; |
53 | | bool mPermDelete; |
54 | | uint32_t mCertType; |
55 | | std::vector<nsString> mSubjectAltNames; |
56 | | nsresult CreateASN1Struct(nsIASN1Object** aRetVal); |
57 | | nsresult CreateTBSCertificateASN1Struct(nsIASN1Sequence** retSequence); |
58 | | nsresult GetSortableDate(PRTime aTime, nsAString& _aSortableDate); |
59 | | bool InitFromDER(char* certDER, int derLen); // return false on failure |
60 | | |
61 | | nsresult GetCertificateHash(nsAString& aFingerprint, SECOidTag aHashAlg); |
62 | | void GetSubjectAltNames(); |
63 | | }; |
64 | | |
65 | | namespace mozilla { |
66 | | |
67 | | SECStatus ConstructCERTCertListFromReversedDERArray( |
68 | | const mozilla::pkix::DERArray& certArray, |
69 | | /*out*/ mozilla::UniqueCERTCertList& certList); |
70 | | |
71 | | } // namespace mozilla |
72 | | |
73 | | typedef const std::function<nsresult(nsCOMPtr<nsIX509Cert>& aCert, |
74 | | bool aHasMore, /* out */ bool& aContinue)> ForEachCertOperation; |
75 | | |
76 | | class nsNSSCertList : public nsIX509CertList |
77 | | , public nsISerializable |
78 | | { |
79 | | public: |
80 | | NS_DECL_THREADSAFE_ISUPPORTS |
81 | | NS_DECL_NSIX509CERTLIST |
82 | | NS_DECL_NSISERIALIZABLE |
83 | | |
84 | | // The only way to call this is with std::move(some cert list) (because the |
85 | | // copy constructor should be deleted for UniqueCERTCertList), so we |
86 | | // effectively take ownership of it. What actually happens is we iterate |
87 | | // through the list getting our own owned reference to each certificate in the |
88 | | // list, and then the UniqueCERTCertList is dropped as it goes out of scope |
89 | | // (thus releasing its own reference to each certificate). |
90 | | explicit nsNSSCertList(mozilla::UniqueCERTCertList certList); |
91 | | |
92 | | nsNSSCertList(); |
93 | | |
94 | | static mozilla::UniqueCERTCertList DupCertList( |
95 | | const mozilla::UniqueCERTCertList& certList); |
96 | | |
97 | | // For each certificate in this CertList, run the operation aOperation. |
98 | | // To end early with NS_OK, set the `aContinue` argument false before |
99 | | // returning. To end early with an error, return anything except NS_OK. |
100 | | // The `aHasMore` argument is false when this is the last certificate in the |
101 | | // chain. |
102 | | nsresult ForEachCertificateInChain(ForEachCertOperation& aOperation); |
103 | | |
104 | | // Split a certificate chain into the root, intermediates (if any), and end |
105 | | // entity. This method does so blindly, assuming that the current list object |
106 | | // is ordered [end entity, intermediates..., root]. If that isn't true, this |
107 | | // method will return the certificates at the two ends without regard to the |
108 | | // actual chain of trust. Callers are encouraged to check, if there's any |
109 | | // doubt. |
110 | | // Will return error if used on self-signed or empty chains. |
111 | | // This method requires that all arguments be empty, notably the list |
112 | | // `aIntermediates` must be empty. |
113 | | nsresult SegmentCertificateChain(/* out */ nsCOMPtr<nsIX509Cert>& aRoot, |
114 | | /* out */ nsCOMPtr<nsIX509CertList>& aIntermediates, |
115 | | /* out */ nsCOMPtr<nsIX509Cert>& aEndEntity); |
116 | | |
117 | | // Obtain the root certificate of a certificate chain. This method does so |
118 | | // blindly, as SegmentCertificateChain; the same restrictions apply. On an |
119 | | // empty list, leaves aRoot empty and returns OK. |
120 | | nsresult GetRootCertificate(/* out */ nsCOMPtr<nsIX509Cert>& aRoot); |
121 | | |
122 | | private: |
123 | 0 | virtual ~nsNSSCertList() {} |
124 | | |
125 | | std::vector<mozilla::UniqueCERTCertificate> mCerts; |
126 | | |
127 | | nsNSSCertList(const nsNSSCertList&) = delete; |
128 | | void operator=(const nsNSSCertList&) = delete; |
129 | | }; |
130 | | |
131 | | #define NS_X509CERT_CID { /* 660a3226-915c-4ffb-bb20-8985a632df05 */ \ |
132 | | 0x660a3226, \ |
133 | | 0x915c, \ |
134 | | 0x4ffb, \ |
135 | | { 0xbb, 0x20, 0x89, 0x85, 0xa6, 0x32, 0xdf, 0x05 } \ |
136 | | } |
137 | | |
138 | | #endif // nsNSSCertificate_h |