security/certverifier/BRNameMatchingPolicy.h
author Alastor Wu <alwu@mozilla.com>
Tue, 05 Mar 2019 02:06:22 +0000
changeset 516285 dc39216dfad387efd439083045062e323869a428
parent 508163 6f3709b3878117466168c40affa7bca0b60cf75b
permissions -rw-r--r--
Bug 1530220 - part1 : allow some non-printalble keys as supported user gesture inputs to activate document. r=masayuki,cpearce a=lizzard `carriage return` and `space` are common keys which user might use to start media, so we should take account them as supported user gesture inputs. As their pseudo char code are zero, we have to check their key code in order to distinguish them from other controls keys such as shift, alt... Differential Revision: https://phabricator.services.mozilla.com/D21253

/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
/* vim: set ts=8 sts=2 et sw=2 tw=80: */
/* This Source Code Form is subject to the terms of the Mozilla Public
 * License, v. 2.0. If a copy of the MPL was not distributed with this
 * file, You can obtain one at http://mozilla.org/MPL/2.0/. */

#ifndef BRNameMatchingPolicy_h
#define BRNameMatchingPolicy_h

#include "mozpkix/pkixtypes.h"

namespace mozilla {
namespace psm {

// According to the Baseline Requirements version 1.3.3 section 7.1.4.2.2.a,
// the requirements of the subject common name field are as follows:
// "If present, this field MUST contain a single IP address or Fully‐Qualified
// Domain Name that is one of the values contained in the Certificate’s
// subjectAltName extension". Consequently, since any name information present
// in the common name must be present in the subject alternative name extension,
// when performing name matching, it should not be necessary to fall back to the
// common name. Because this consequence has not commonly been enforced, this
// implementation provides a mechanism to start enforcing it gradually while
// maintaining some backwards compatibility. If configured with the mode
// "EnforceAfter23August2016", name matching will only fall back to using the
// subject common name for certificates where the notBefore field is before 23
// August 2016. Similarly, the mode "EnforceAfter23August2015" is also
// available. This is to provide a balance between allowing preexisting
// long-lived certificates and detecting newly-issued problematic certificates.
// Note that this implementation does not actually directly enforce that if the
// subject common name is present, its value corresponds to a dNSName or
// iPAddress entry in the subject alternative name extension.

class BRNameMatchingPolicy : public mozilla::pkix::NameMatchingPolicy {
 public:
  enum class Mode {
    DoNotEnforce = 0,
    EnforceAfter23August2016 = 1,
    EnforceAfter23August2015 = 2,
    Enforce = 3,
  };

  explicit BRNameMatchingPolicy(Mode mode) : mMode(mode) {}

  virtual mozilla::pkix::Result FallBackToCommonName(
      mozilla::pkix::Time notBefore,
      /*out*/ mozilla::pkix::FallBackToSearchWithinSubject&
          fallBacktoCommonName) override;

 private:
  Mode mMode;
};

}  // namespace psm
}  // namespace mozilla

#endif  // BRNameMatchingPolicy_h