Skip to main content

Browse the archive

https://github.com/mozilla/gecko-dev
11 July 2024, 19:39:14 UTC
Raw File
Tip revision: e458da56bb3d876d2d36503224b455c4546c0577 authored by ffxbld on 25 August 2014, 12:35:09 UTC
Added FIREFOX_31_1_0esr_RELEASE FIREFOX_31_1_0esr_BUILD1 tag(s) for changeset 81747568d309. DONTBUILD CLOSED TREE a=release
Tip revision: e458da5
OCSPCache.h 
/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
/* vim: set ts=8 sts=2 et sw=2 tw=80: */
/* Copyright 2013 Mozilla Foundation
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
 * You may obtain a copy of the License at
 *
 *     http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 */

#ifndef mozilla_psm_OCSPCache_h
#define mozilla_psm_OCSPCache_h

#include "certt.h"
#include "hasht.h"
#include "pkix/pkixtypes.h"
#include "mozilla/Mutex.h"
#include "mozilla/Vector.h"
#include "prerror.h"

namespace mozilla { namespace psm {

// make SHA384Buffer be of type "array of uint8_t of length SHA384_LENGTH"
typedef uint8_t SHA384Buffer[SHA384_LENGTH];

// OCSPCache can store and retrieve OCSP response verification results. Each
// result is keyed on the certificate that purportedly corresponds to it (where
// certificates are distinguished based on serial number, issuer, and
// issuer public key, much like in an encoded OCSP response itself). A maximum
// of 1024 distinct entries can be stored.
// OCSPCache is thread-safe.
class OCSPCache
{
public:
  OCSPCache();
  ~OCSPCache();

  // Returns true if the status of the given certificate (issued by the given
  // issuer) is in the cache, and false otherwise.
  // If it is in the cache, returns by reference the error code of the cached
  // status and the time through which the status is considered trustworthy.
  bool Get(const CERTCertificate* aCert, const CERTCertificate* aIssuerCert,
           /* out */ PRErrorCode& aErrorCode, /* out */ PRTime& aValidThrough);

  // Caches the status of the given certificate (issued by the given issuer).
  // The status is considered trustworthy through the given time.
  // A status with an error code of SEC_ERROR_REVOKED_CERTIFICATE will not
  // be replaced or evicted.
  // A status with an error code of SEC_ERROR_OCSP_UNKNOWN_CERT will not
  // be evicted when the cache is full.
  // A status with a more recent thisUpdate will not be replaced with a
  // status with a less recent thisUpdate unless the less recent status
  // indicates the certificate is revoked.
  SECStatus Put(const CERTCertificate* aCert,
                const CERTCertificate* aIssuerCert,
                PRErrorCode aErrorCode,
                PRTime aThisUpdate,
                PRTime aValidThrough);

  // Removes everything from the cache.
  void Clear();

private:
  class Entry
  {
  public:
    SECStatus Init(const CERTCertificate* aCert,
                   const CERTCertificate* aIssuerCert,
                   PRErrorCode aErrorCode, PRTime aThisUpdate,
                   PRTime aValidThrough);

    PRErrorCode mErrorCode;
    PRTime mThisUpdate;
    PRTime mValidThrough;
    // The SHA-384 hash of the concatenation of the DER encodings of the
    // issuer name and issuer key, followed by the serial number.
    // See the documentation for CertIDHash in OCSPCache.cpp.
    SHA384Buffer mIDHash;
  };

  int32_t FindInternal(const CERTCertificate* aCert,
                       const CERTCertificate* aIssuerCert,
                       const MutexAutoLock& aProofOfLock);
  void MakeMostRecentlyUsed(size_t aIndex, const MutexAutoLock& aProofOfLock);
  void LogWithCerts(const char* aMessage, const CERTCertificate* aCert,
                    const CERTCertificate* aIssuerCert);

  Mutex mMutex;
  static const size_t MaxEntries = 1024;
  // Sorted with the most-recently-used entry at the end.
  // Using 256 here reserves as much possible inline storage as the vector
  // implementation will give us. 1024 bytes is the maximum it allows,
  // which results in 256 Entry pointers or 128 Entry pointers, depending
  // on the size of a pointer.
  Vector<Entry*, 256> mEntries;
};

} } // namespace mozilla::psm

#endif // mozilla_psm_OCSPCache_h
back to top