Line data Source code
1 : /* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
2 : /* vim: set ts=8 sts=2 et sw=2 tw=80: */
3 : /* This code is made available to you under your choice of the following sets
4 : * of licensing terms:
5 : */
6 : /* This Source Code Form is subject to the terms of the Mozilla Public
7 : * License, v. 2.0. If a copy of the MPL was not distributed with this
8 : * file, You can obtain one at http://mozilla.org/MPL/2.0/.
9 : */
10 : /* Copyright 2013 Mozilla Contributors
11 : *
12 : * Licensed under the Apache License, Version 2.0 (the "License");
13 : * you may not use this file except in compliance with the License.
14 : * You may obtain a copy of the License at
15 : *
16 : * http://www.apache.org/licenses/LICENSE-2.0
17 : *
18 : * Unless required by applicable law or agreed to in writing, software
19 : * distributed under the License is distributed on an "AS IS" BASIS,
20 : * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
21 : * See the License for the specific language governing permissions and
22 : * limitations under the License.
23 : */
24 :
25 : #ifndef mozilla_psm_OCSPCache_h
26 : #define mozilla_psm_OCSPCache_h
27 :
28 : #include "hasht.h"
29 : #include "mozilla/Mutex.h"
30 : #include "mozilla/Vector.h"
31 : #include "pkix/Result.h"
32 : #include "pkix/Time.h"
33 : #include "prerror.h"
34 : #include "seccomon.h"
35 :
36 : namespace mozilla {
37 : class OriginAttributes;
38 : }
39 :
40 : namespace mozilla { namespace pkix {
41 : struct CertID;
42 : } } // namespace mozilla::pkix
43 :
44 : namespace mozilla { namespace psm {
45 :
46 : // make SHA384Buffer be of type "array of uint8_t of length SHA384_LENGTH"
47 : typedef uint8_t SHA384Buffer[SHA384_LENGTH];
48 :
49 : // OCSPCache can store and retrieve OCSP response verification results. Each
50 : // result is keyed on the certificate that purportedly corresponds to it (where
51 : // certificates are distinguished based on serial number, issuer, and
52 : // issuer public key, much like in an encoded OCSP response itself). A maximum
53 : // of 1024 distinct entries can be stored.
54 : // OCSPCache is thread-safe.
55 : class OCSPCache
56 : {
57 : public:
58 : OCSPCache();
59 : ~OCSPCache();
60 :
61 : // Returns true if the status of the given certificate (issued by the given
62 : // issuer) is in the cache, and false otherwise.
63 : // If it is in the cache, returns by reference the error code of the cached
64 : // status and the time through which the status is considered trustworthy.
65 : // The passed in origin attributes are used to isolate the OCSP cache.
66 : // We currently only use the first party domain portion of the attributes, and
67 : // it is non-empty only when "privacy.firstParty.isolate" is enabled.
68 : bool Get(const mozilla::pkix::CertID& aCertID,
69 : const OriginAttributes& aOriginAttributes,
70 : /*out*/ mozilla::pkix::Result& aResult,
71 : /*out*/ mozilla::pkix::Time& aValidThrough);
72 :
73 : // Caches the status of the given certificate (issued by the given issuer).
74 : // The status is considered trustworthy through the given time.
75 : // A status with an error code of SEC_ERROR_REVOKED_CERTIFICATE will not
76 : // be replaced or evicted.
77 : // A status with an error code of SEC_ERROR_OCSP_UNKNOWN_CERT will not
78 : // be evicted when the cache is full.
79 : // A status with a more recent thisUpdate will not be replaced with a
80 : // status with a less recent thisUpdate unless the less recent status
81 : // indicates the certificate is revoked.
82 : // The passed in origin attributes are used to isolate the OCSP cache.
83 : // We currently only use the first party domain portion of the attributes, and
84 : // it is non-empty only when "privacy.firstParty.isolate" is enabled.
85 : mozilla::pkix::Result Put(const mozilla::pkix::CertID& aCertID,
86 : const OriginAttributes& aOriginAttributes,
87 : mozilla::pkix::Result aResult,
88 : mozilla::pkix::Time aThisUpdate,
89 : mozilla::pkix::Time aValidThrough);
90 :
91 : // Removes everything from the cache.
92 : void Clear();
93 :
94 : private:
95 : class Entry
96 : {
97 : public:
98 0 : Entry(mozilla::pkix::Result aResult,
99 : mozilla::pkix::Time aThisUpdate,
100 : mozilla::pkix::Time aValidThrough)
101 0 : : mResult(aResult)
102 : , mThisUpdate(aThisUpdate)
103 0 : , mValidThrough(aValidThrough)
104 : {
105 0 : }
106 : mozilla::pkix::Result Init(const mozilla::pkix::CertID& aCertID,
107 : const OriginAttributes& aOriginAttributes);
108 :
109 : mozilla::pkix::Result mResult;
110 : mozilla::pkix::Time mThisUpdate;
111 : mozilla::pkix::Time mValidThrough;
112 : // The SHA-384 hash of the concatenation of the DER encodings of the
113 : // issuer name and issuer key, followed by the length of the serial number,
114 : // the serial number, the length of the first party domain, and the first
115 : // party domain (if "privacy.firstparty.isolate" is enabled).
116 : // See the documentation for CertIDHash in OCSPCache.cpp.
117 : SHA384Buffer mIDHash;
118 : };
119 :
120 : bool FindInternal(const mozilla::pkix::CertID& aCertID,
121 : const OriginAttributes& aOriginAttributes,
122 : /*out*/ size_t& index,
123 : const MutexAutoLock& aProofOfLock);
124 : void MakeMostRecentlyUsed(size_t aIndex, const MutexAutoLock& aProofOfLock);
125 :
126 : Mutex mMutex;
127 : static const size_t MaxEntries = 1024;
128 : // Sorted with the most-recently-used entry at the end.
129 : // Using 256 here reserves as much possible inline storage as the vector
130 : // implementation will give us. 1024 bytes is the maximum it allows,
131 : // which results in 256 Entry pointers or 128 Entry pointers, depending
132 : // on the size of a pointer.
133 : Vector<Entry*, 256> mEntries;
134 : };
135 :
136 : } } // namespace mozilla::psm
137 :
138 : #endif // mozilla_psm_OCSPCache_h
|
