1 /* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */ 2 /* vim: set ts=8 sts=2 et sw=2 tw=80: */ 3 /* This Source Code Form is subject to the terms of the Mozilla Public 4 * License, v. 2.0. If a copy of the MPL was not distributed with this 5 * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ 6 7 #include "OCSPVerificationTrustDomain.h" 8 9 using namespace mozilla; 10 using namespace mozilla::pkix; 11 12 namespace mozilla { 13 namespace psm { 14 15 OCSPVerificationTrustDomain::OCSPVerificationTrustDomain( 16 NSSCertDBTrustDomain& certDBTrustDomain) 17 : mCertDBTrustDomain(certDBTrustDomain) {} 18 19 Result OCSPVerificationTrustDomain::GetCertTrust( 20 EndEntityOrCA endEntityOrCA, const CertPolicyId& policy, 21 Input candidateCertDER, 22 /*out*/ TrustLevel& trustLevel) { 23 return mCertDBTrustDomain.GetCertTrust(endEntityOrCA, policy, 24 candidateCertDER, trustLevel); 25 } 26 27 Result OCSPVerificationTrustDomain::FindIssuer(Input, IssuerChecker&, Time) { 28 // We do not expect this to be called for OCSP signers 29 return Result::FATAL_ERROR_LIBRARY_FAILURE; 30 } 31 32 Result OCSPVerificationTrustDomain::IsChainValid(const DERArray&, Time, 33 const CertPolicyId&) { 34 // We do not expect this to be called for OCSP signers 35 return Result::FATAL_ERROR_LIBRARY_FAILURE; 36 } 37 38 Result OCSPVerificationTrustDomain::CheckRevocation(EndEntityOrCA, 39 const CertID&, Time, 40 Duration, const Input*, 41 const Input*, 42 const Input*) { 43 // We do not expect this to be called for OCSP signers 44 return Result::FATAL_ERROR_LIBRARY_FAILURE; 45 } 46 47 Result OCSPVerificationTrustDomain::CheckSignatureDigestAlgorithm( 48 DigestAlgorithm aAlg, EndEntityOrCA aEEOrCA, Time notBefore) { 49 // The reason for wrapping the NSSCertDBTrustDomain in an 50 // OCSPVerificationTrustDomain is to allow us to bypass the weaker signature 51 // algorithm check - thus all allowable signature digest algorithms should 52 // always be accepted. This is only needed while we gather telemetry on SHA-1. 53 return Success; 54 } 55 56 Result OCSPVerificationTrustDomain::CheckRSAPublicKeyModulusSizeInBits( 57 EndEntityOrCA aEEOrCA, unsigned int aModulusSizeInBits) { 58 return mCertDBTrustDomain.CheckRSAPublicKeyModulusSizeInBits( 59 aEEOrCA, aModulusSizeInBits); 60 } 61 62 Result OCSPVerificationTrustDomain::VerifyRSAPKCS1SignedDigest( 63 const SignedDigest& aSignedDigest, Input aSubjectPublicKeyInfo) { 64 return mCertDBTrustDomain.VerifyRSAPKCS1SignedDigest(aSignedDigest, 65 aSubjectPublicKeyInfo); 66 } 67 68 Result OCSPVerificationTrustDomain::CheckECDSACurveIsAcceptable( 69 EndEntityOrCA aEEOrCA, NamedCurve aCurve) { 70 return mCertDBTrustDomain.CheckECDSACurveIsAcceptable(aEEOrCA, aCurve); 71 } 72 73 Result OCSPVerificationTrustDomain::VerifyECDSASignedDigest( 74 const SignedDigest& aSignedDigest, Input aSubjectPublicKeyInfo) { 75 return mCertDBTrustDomain.VerifyECDSASignedDigest(aSignedDigest, 76 aSubjectPublicKeyInfo); 77 } 78 79 Result OCSPVerificationTrustDomain::CheckValidityIsAcceptable( 80 Time notBefore, Time notAfter, EndEntityOrCA endEntityOrCA, 81 KeyPurposeId keyPurpose) { 82 return mCertDBTrustDomain.CheckValidityIsAcceptable( 83 notBefore, notAfter, endEntityOrCA, keyPurpose); 84 } 85 86 Result OCSPVerificationTrustDomain::NetscapeStepUpMatchesServerAuth( 87 Time notBefore, 88 /*out*/ bool& matches) { 89 return mCertDBTrustDomain.NetscapeStepUpMatchesServerAuth(notBefore, matches); 90 } 91 92 void OCSPVerificationTrustDomain::NoteAuxiliaryExtension( 93 AuxiliaryExtension extension, Input extensionData) { 94 mCertDBTrustDomain.NoteAuxiliaryExtension(extension, extensionData); 95 } 96 97 Result OCSPVerificationTrustDomain::DigestBuf(Input item, 98 DigestAlgorithm digestAlg, Entry(mozilla::pkix::Result aResult,mozilla::pkix::Time aThisUpdate,mozilla::pkix::Time aValidThrough)99 /*out*/ uint8_t* digestBuf, 100 size_t digestBufLen) { 101 return mCertDBTrustDomain.DigestBuf(item, digestAlg, digestBuf, digestBufLen); 102 } 103 104 } // namespace psm 105 } // namespace mozilla 106