Home Explore Help
Sign In
khronosschoty
/
palemoon-dev
Watch 2
Star 1
Fork 0
Files Issues 0 Pull Requests 0 Wiki
Branch: master
Branches Tags
palemoon-dev
/
platform
/
security
/
certverifier
/
BRNameMatchingPolicy.h

BRNameMatchingPolicy.h 2.3 KB
Permalink History Raw

1234567891011121314151617181920212223242526272829303132333435363738394041424344454647484950515253545556575859 
  1. /* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
    2. 

  2. /* This Source Code Form is subject to the terms of the Mozilla Public
    3. 

  3.  * License, v. 2.0. If a copy of the MPL was not distributed with this
    4. 

  4.  * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
    5. 

  5. 

  6. #ifndef BRNameMatchingPolicy_h
    7. 

  7. #define BRNameMatchingPolicy_h
    8. 

  8. 

  9. #include "pkix/pkixtypes.h"
    10. 

  10. 

  11. namespace mozilla { namespace psm {
    12. 

  12. 

  13. // According to the Baseline Requirements version 1.3.3 section 7.1.4.2.2.a,
    14. 

  14. // the requirements of the subject common name field are as follows:
    15. 

  15. // "If present, this field MUST contain a single IP address or Fully‐Qualified
    16. 

  16. // Domain Name that is one of the values contained in the Certificate’s
    17. 

  17. // subjectAltName extension". Consequently, since any name information present
    18. 

  18. // in the common name must be present in the subject alternative name extension,
    19. 

  19. // when performing name matching, it should not be necessary to fall back to the
    20. 

  20. // common name. Because this consequence has not commonly been enforced, this
    21. 

  21. // implementation provides a mechanism to start enforcing it gradually while
    22. 

  22. // maintaining some backwards compatibility. If configured with the mode
    23. 

  23. // "EnforceAfter23August2016", name matching will only fall back to using the
    24. 

  24. // subject common name for certificates where the notBefore field is before 23
    25. 

  25. // August 2016. Similarly, the mode "EnforceAfter23August2015" is also
    26. 

  26. // available. This is to provide a balance between allowing preexisting
    27. 

  27. // long-lived certificates and detecting newly-issued problematic certificates.
    28. 

  28. // Note that this implementation does not actually directly enforce that if the
    29. 

  29. // subject common name is present, its value corresponds to a dNSName or
    30. 

  30. // iPAddress entry in the subject alternative name extension.
    31. 

  31. 

  32. class BRNameMatchingPolicy : public mozilla::pkix::NameMatchingPolicy
    33. 

  33. {
    34. 

  34. public:
    35. 

  35.   enum class Mode {
    36. 

  36.     DoNotEnforce = 0,
    37. 

  37.     EnforceAfter23August2016 = 1,
    38. 

  38.     EnforceAfter23August2015 = 2,
    39. 

  39.     Enforce = 3,
    40. 

  40.   };
    41. 

  41. 

  42.   explicit BRNameMatchingPolicy(Mode mode)
    43. 

  43.     : mMode(mode)
    44. 

  44.   {
    45. 

  45.   }
    46. 

  46. 

  47.   virtual mozilla::pkix::Result FallBackToCommonName(
    48. 

  48.     mozilla::pkix::Time notBefore,
    49. 

  49.     /*out*/ mozilla::pkix::FallBackToSearchWithinSubject& fallBacktoCommonName)
    50. 

  50.     override;
    51. 

  51. 

  52. private:
    53. 

  53.   Mode mMode;
    54. 

  54. };
    55. 

  55. 

  56. } } // namespace mozilla::psm
    57. 

  57. 

  58. #endif // BRNameMatchingPolicy_h
    59. 

  59.