Line data Source code
1 : /* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
2 : /* vim: set ts=8 sts=2 et sw=2 tw=80: */
3 : /* This code is made available to you under your choice of the following sets
4 : * of licensing terms:
5 : */
6 : /* This Source Code Form is subject to the terms of the Mozilla Public
7 : * License, v. 2.0. If a copy of the MPL was not distributed with this
8 : * file, You can obtain one at http://mozilla.org/MPL/2.0/.
9 : */
10 : /* Copyright 2013 Mozilla Contributors
11 : *
12 : * Licensed under the Apache License, Version 2.0 (the "License");
13 : * you may not use this file except in compliance with the License.
14 : * You may obtain a copy of the License at
15 : *
16 : * http://www.apache.org/licenses/LICENSE-2.0
17 : *
18 : * Unless required by applicable law or agreed to in writing, software
19 : * distributed under the License is distributed on an "AS IS" BASIS,
20 : * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
21 : * See the License for the specific language governing permissions and
22 : * limitations under the License.
23 : */
24 :
25 : #ifndef mozilla_pkix_pkixnss_h
26 : #define mozilla_pkix_pkixnss_h
27 :
28 : #include "pkixtypes.h"
29 : #include "prerror.h"
30 : #include "seccomon.h"
31 :
32 : namespace mozilla { namespace pkix {
33 :
34 : // Verifies the PKCS#1.5 signature on the given data using the given RSA public
35 : // key.
36 : Result VerifyRSAPKCS1SignedDigestNSS(const SignedDigest& sd,
37 : Input subjectPublicKeyInfo,
38 : void* pkcs11PinArg);
39 :
40 : // Verifies the ECDSA signature on the given data using the given ECC public
41 : // key.
42 : Result VerifyECDSASignedDigestNSS(const SignedDigest& sd,
43 : Input subjectPublicKeyInfo,
44 : void* pkcs11PinArg);
45 :
46 : // Computes the digest of the given data using the given digest algorithm.
47 : //
48 : // item contains the data to hash.
49 : // digestBuf must point to a buffer to where the digest will be written.
50 : // digestBufLen must be the size of the buffer, which must be exactly equal
51 : // to the size of the digest output (20 for SHA-1, 32 for SHA-256,
52 : // etc.)
53 : //
54 : // TODO: Taking the output buffer as (uint8_t*, size_t) is counter to our
55 : // other, extensive, memory safety efforts in mozilla::pkix, and we should find
56 : // a way to provide a more-obviously-safe interface.
57 : Result DigestBufNSS(Input item,
58 : DigestAlgorithm digestAlg,
59 : /*out*/ uint8_t* digestBuf,
60 : size_t digestBufLen);
61 :
62 : Result MapPRErrorCodeToResult(PRErrorCode errorCode);
63 : PRErrorCode MapResultToPRErrorCode(Result result);
64 :
65 : // The error codes within each module must fit in 16 bits. We want these
66 : // errors to fit in the same module as the NSS errors but not overlap with
67 : // any of them. Converting an NSS SEC, NSS SSL, or PSM error to an NS error
68 : // involves negating the value of the error and then synthesizing an error
69 : // in the NS_ERROR_MODULE_SECURITY module. Hence, PSM errors will start at
70 : // a negative value that both doesn't overlap with the current value
71 : // ranges for NSS errors and that will fit in 16 bits when negated.
72 : static const PRErrorCode ERROR_BASE = -0x4000;
73 : static const PRErrorCode ERROR_LIMIT = ERROR_BASE + 1000;
74 :
75 : enum ErrorCode
76 : {
77 : MOZILLA_PKIX_ERROR_KEY_PINNING_FAILURE = ERROR_BASE + 0,
78 : MOZILLA_PKIX_ERROR_CA_CERT_USED_AS_END_ENTITY = ERROR_BASE + 1,
79 : MOZILLA_PKIX_ERROR_INADEQUATE_KEY_SIZE = ERROR_BASE + 2,
80 : MOZILLA_PKIX_ERROR_V1_CERT_USED_AS_CA = ERROR_BASE + 3,
81 : MOZILLA_PKIX_ERROR_NO_RFC822NAME_MATCH = ERROR_BASE + 4,
82 : MOZILLA_PKIX_ERROR_NOT_YET_VALID_CERTIFICATE = ERROR_BASE + 5,
83 : MOZILLA_PKIX_ERROR_NOT_YET_VALID_ISSUER_CERTIFICATE = ERROR_BASE + 6,
84 : MOZILLA_PKIX_ERROR_SIGNATURE_ALGORITHM_MISMATCH = ERROR_BASE + 7,
85 : MOZILLA_PKIX_ERROR_OCSP_RESPONSE_FOR_CERT_MISSING = ERROR_BASE + 8,
86 : MOZILLA_PKIX_ERROR_VALIDITY_TOO_LONG = ERROR_BASE + 9,
87 : MOZILLA_PKIX_ERROR_REQUIRED_TLS_FEATURE_MISSING = ERROR_BASE + 10,
88 : MOZILLA_PKIX_ERROR_INVALID_INTEGER_ENCODING = ERROR_BASE + 11,
89 : MOZILLA_PKIX_ERROR_EMPTY_ISSUER_NAME = ERROR_BASE + 12,
90 : END_OF_LIST
91 : };
92 :
93 : void RegisterErrorTable();
94 :
95 15 : inline SECItem UnsafeMapInputToSECItem(Input input)
96 : {
97 : SECItem result = {
98 : siBuffer,
99 15 : const_cast<uint8_t*>(input.UnsafeGetData()),
100 15 : input.GetLength()
101 45 : };
102 : static_assert(sizeof(decltype(input.GetLength())) <= sizeof(result.len),
103 : "input.GetLength() must fit in a SECItem");
104 15 : return result;
105 : }
106 :
107 : } } // namespace mozilla::pkix
108 :
109 : #endif // mozilla_pkix_pkixnss_h
|