LCOV - code coverage report
Current view: top level - security/certverifier - BRNameMatchingPolicy.h (source / functions) Hit Total Coverage
Test: output.info Lines: 0 4 0.0 %
Date: 2017-07-14 16:53:18 Functions: 0 3 0.0 %
Legend: Lines: hit not hit 

          Line data    Source code
       1             : /* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
       2             : /* vim: set ts=8 sts=2 et sw=2 tw=80: */
       3             : /* This Source Code Form is subject to the terms of the Mozilla Public
       4             :  * License, v. 2.0. If a copy of the MPL was not distributed with this
       5             :  * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
       6             : 
       7             : #ifndef BRNameMatchingPolicy_h
       8             : #define BRNameMatchingPolicy_h
       9             : 
      10             : #include "pkix/pkixtypes.h"
      11             : 
      12             : namespace mozilla { namespace psm {
      13             : 
      14             : // According to the Baseline Requirements version 1.3.3 section 7.1.4.2.2.a,
      15             : // the requirements of the subject common name field are as follows:
      16             : // "If present, this field MUST contain a single IP address or Fully‐Qualified
      17             : // Domain Name that is one of the values contained in the Certificate’s
      18             : // subjectAltName extension". Consequently, since any name information present
      19             : // in the common name must be present in the subject alternative name extension,
      20             : // when performing name matching, it should not be necessary to fall back to the
      21             : // common name. Because this consequence has not commonly been enforced, this
      22             : // implementation provides a mechanism to start enforcing it gradually while
      23             : // maintaining some backwards compatibility. If configured with the mode
      24             : // "EnforceAfter23August2016", name matching will only fall back to using the
      25             : // subject common name for certificates where the notBefore field is before 23
      26             : // August 2016. Similarly, the mode "EnforceAfter23August2015" is also
      27             : // available. This is to provide a balance between allowing preexisting
      28             : // long-lived certificates and detecting newly-issued problematic certificates.
      29             : // Note that this implementation does not actually directly enforce that if the
      30             : // subject common name is present, its value corresponds to a dNSName or
      31             : // iPAddress entry in the subject alternative name extension.
      32             : 
      33           0 : class BRNameMatchingPolicy : public mozilla::pkix::NameMatchingPolicy
      34             : {
      35             : public:
      36             :   enum class Mode {
      37             :     DoNotEnforce = 0,
      38             :     EnforceAfter23August2016 = 1,
      39             :     EnforceAfter23August2015 = 2,
      40             :     Enforce = 3,
      41             :   };
      42             : 
      43           0 :   explicit BRNameMatchingPolicy(Mode mode)
      44           0 :     : mMode(mode)
      45             :   {
      46           0 :   }
      47             : 
      48             :   virtual mozilla::pkix::Result FallBackToCommonName(
      49             :     mozilla::pkix::Time notBefore,
      50             :     /*out*/ mozilla::pkix::FallBackToSearchWithinSubject& fallBacktoCommonName)
      51             :     override;
      52             : 
      53             : private:
      54             :   Mode mMode;
      55             : };
      56             : 
      57             : } } // namespace mozilla::psm
      58             : 
      59             : #endif // BRNameMatchingPolicy_h

Generated by: LCOV version 1.13