security/certverifier/OCSPVerificationTrustDomain.cpp
author Alastor Wu <alwu@mozilla.com>
Tue, 05 Mar 2019 02:06:22 +0000
changeset 516285 dc39216dfad387efd439083045062e323869a428
parent 508163 6f3709b3878117466168c40affa7bca0b60cf75b
permissions -rw-r--r--
Bug 1530220 - part1 : allow some non-printalble keys as supported user gesture inputs to activate document. r=masayuki,cpearce a=lizzard `carriage return` and `space` are common keys which user might use to start media, so we should take account them as supported user gesture inputs. As their pseudo char code are zero, we have to check their key code in order to distinguish them from other controls keys such as shift, alt... Differential Revision: https://phabricator.services.mozilla.com/D21253

/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
/* vim: set ts=8 sts=2 et sw=2 tw=80: */
/* This Source Code Form is subject to the terms of the Mozilla Public
 * License, v. 2.0. If a copy of the MPL was not distributed with this
 * file, You can obtain one at http://mozilla.org/MPL/2.0/. */

#include "OCSPVerificationTrustDomain.h"

using namespace mozilla;
using namespace mozilla::pkix;

namespace mozilla {
namespace psm {

OCSPVerificationTrustDomain::OCSPVerificationTrustDomain(
    NSSCertDBTrustDomain& certDBTrustDomain)
    : mCertDBTrustDomain(certDBTrustDomain) {}

Result OCSPVerificationTrustDomain::GetCertTrust(
    EndEntityOrCA endEntityOrCA, const CertPolicyId& policy,
    Input candidateCertDER,
    /*out*/ TrustLevel& trustLevel) {
  return mCertDBTrustDomain.GetCertTrust(endEntityOrCA, policy,
                                         candidateCertDER, trustLevel);
}

Result OCSPVerificationTrustDomain::FindIssuer(Input, IssuerChecker&, Time) {
  // We do not expect this to be called for OCSP signers
  return Result::FATAL_ERROR_LIBRARY_FAILURE;
}

Result OCSPVerificationTrustDomain::IsChainValid(const DERArray&, Time,
                                                 const CertPolicyId&) {
  // We do not expect this to be called for OCSP signers
  return Result::FATAL_ERROR_LIBRARY_FAILURE;
}

Result OCSPVerificationTrustDomain::CheckRevocation(EndEntityOrCA,
                                                    const CertID&, Time,
                                                    Duration, const Input*,
                                                    const Input*) {
  // We do not expect this to be called for OCSP signers
  return Result::FATAL_ERROR_LIBRARY_FAILURE;
}

Result OCSPVerificationTrustDomain::CheckSignatureDigestAlgorithm(
    DigestAlgorithm aAlg, EndEntityOrCA aEEOrCA, Time notBefore) {
  // The reason for wrapping the NSSCertDBTrustDomain in an
  // OCSPVerificationTrustDomain is to allow us to bypass the weaker signature
  // algorithm check - thus all allowable signature digest algorithms should
  // always be accepted. This is only needed while we gather telemetry on SHA-1.
  return Success;
}

Result OCSPVerificationTrustDomain::CheckRSAPublicKeyModulusSizeInBits(
    EndEntityOrCA aEEOrCA, unsigned int aModulusSizeInBits) {
  return mCertDBTrustDomain.CheckRSAPublicKeyModulusSizeInBits(
      aEEOrCA, aModulusSizeInBits);
}

Result OCSPVerificationTrustDomain::VerifyRSAPKCS1SignedDigest(
    const SignedDigest& aSignedDigest, Input aSubjectPublicKeyInfo) {
  return mCertDBTrustDomain.VerifyRSAPKCS1SignedDigest(aSignedDigest,
                                                       aSubjectPublicKeyInfo);
}

Result OCSPVerificationTrustDomain::CheckECDSACurveIsAcceptable(
    EndEntityOrCA aEEOrCA, NamedCurve aCurve) {
  return mCertDBTrustDomain.CheckECDSACurveIsAcceptable(aEEOrCA, aCurve);
}

Result OCSPVerificationTrustDomain::VerifyECDSASignedDigest(
    const SignedDigest& aSignedDigest, Input aSubjectPublicKeyInfo) {
  return mCertDBTrustDomain.VerifyECDSASignedDigest(aSignedDigest,
                                                    aSubjectPublicKeyInfo);
}

Result OCSPVerificationTrustDomain::CheckValidityIsAcceptable(
    Time notBefore, Time notAfter, EndEntityOrCA endEntityOrCA,
    KeyPurposeId keyPurpose) {
  return mCertDBTrustDomain.CheckValidityIsAcceptable(
      notBefore, notAfter, endEntityOrCA, keyPurpose);
}

Result OCSPVerificationTrustDomain::NetscapeStepUpMatchesServerAuth(
    Time notBefore,
    /*out*/ bool& matches) {
  return mCertDBTrustDomain.NetscapeStepUpMatchesServerAuth(notBefore, matches);
}

void OCSPVerificationTrustDomain::NoteAuxiliaryExtension(
    AuxiliaryExtension extension, Input extensionData) {
  mCertDBTrustDomain.NoteAuxiliaryExtension(extension, extensionData);
}

Result OCSPVerificationTrustDomain::DigestBuf(Input item,
                                              DigestAlgorithm digestAlg,
                                              /*out*/ uint8_t* digestBuf,
                                              size_t digestBufLen) {
  return mCertDBTrustDomain.DigestBuf(item, digestAlg, digestBuf, digestBufLen);
}

}  // namespace psm
}  // namespace mozilla