nss-3.41/nss/lib/mozpkix/include/pkix/pkixnss.h - manifest_repos/nss - Git at Google

 /* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
 /* vim: set ts=8 sts=2 et sw=2 tw=80: */
 /* This code is made available to you under your choice of the following sets
  * of licensing terms:
  */
 /* This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
  * file, You can obtain one at http://mozilla.org/MPL/2.0/.
  */
 /* Copyright 2013 Mozilla Contributors
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
  * You may obtain a copy of the License at
  *
  *     http://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing, software
  * distributed under the License is distributed on an "AS IS" BASIS,
  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  * See the License for the specific language governing permissions and
  * limitations under the License.
  */

 #ifndef mozilla_pkix_pkixnss_h
 #define mozilla_pkix_pkixnss_h

 #include <seccomon.h>
 #include "mozpkix/pkixtypes.h"
 #include "prerror.h"

 namespace mozilla {
 namespace pkix {

 // Verifies the PKCS#1.5 signature on the given data using the given RSA public
 // key.
 Result VerifyRSAPKCS1SignedDigestNSS(const SignedDigest& sd,
                                      Input subjectPublicKeyInfo,
                                      void* pkcs11PinArg);

 // Verifies the ECDSA signature on the given data using the given ECC public
 // key.
 Result VerifyECDSASignedDigestNSS(const SignedDigest& sd,
                                   Input subjectPublicKeyInfo,
                                   void* pkcs11PinArg);

 // Computes the digest of the given data using the given digest algorithm.
 //
 // item contains the data to hash.
 // digestBuf must point to a buffer to where the digest will be written.
 // digestBufLen must be the size of the buffer, which must be exactly equal
 //              to the size of the digest output (20 for SHA-1, 32 for SHA-256,
 //              etc.)
 //
 // TODO: Taking the output buffer as (uint8_t*, size_t) is counter to our
 // other, extensive, memory safety efforts in mozilla::pkix, and we should find
 // a way to provide a more-obviously-safe interface.
 Result DigestBufNSS(Input item, DigestAlgorithm digestAlg,
                     /*out*/ uint8_t* digestBuf, size_t digestBufLen);

 Result MapPRErrorCodeToResult(PRErrorCode errorCode);
 PRErrorCode MapResultToPRErrorCode(Result result);

 // The error codes within each module must fit in 16 bits. We want these
 // errors to fit in the same module as the NSS errors but not overlap with
 // any of them. Converting an NSS SEC, NSS SSL, or PSM error to an NS error
 // involves negating the value of the error and then synthesizing an error
 // in the NS_ERROR_MODULE_SECURITY module. Hence, PSM errors will start at
 // a negative value that both doesn't overlap with the current value
 // ranges for NSS errors and that will fit in 16 bits when negated.
 static const PRErrorCode ERROR_BASE = -0x4000;
 static const PRErrorCode ERROR_LIMIT = ERROR_BASE + 1000;

 enum ErrorCode {
   MOZILLA_PKIX_ERROR_KEY_PINNING_FAILURE = ERROR_BASE + 0,
   MOZILLA_PKIX_ERROR_CA_CERT_USED_AS_END_ENTITY = ERROR_BASE + 1,
   MOZILLA_PKIX_ERROR_INADEQUATE_KEY_SIZE = ERROR_BASE + 2,
   MOZILLA_PKIX_ERROR_V1_CERT_USED_AS_CA = ERROR_BASE + 3,
   MOZILLA_PKIX_ERROR_NO_RFC822NAME_MATCH = ERROR_BASE + 4,
   MOZILLA_PKIX_ERROR_NOT_YET_VALID_CERTIFICATE = ERROR_BASE + 5,
   MOZILLA_PKIX_ERROR_NOT_YET_VALID_ISSUER_CERTIFICATE = ERROR_BASE + 6,
   MOZILLA_PKIX_ERROR_SIGNATURE_ALGORITHM_MISMATCH = ERROR_BASE + 7,
   MOZILLA_PKIX_ERROR_OCSP_RESPONSE_FOR_CERT_MISSING = ERROR_BASE + 8,
   MOZILLA_PKIX_ERROR_VALIDITY_TOO_LONG = ERROR_BASE + 9,
   MOZILLA_PKIX_ERROR_REQUIRED_TLS_FEATURE_MISSING = ERROR_BASE + 10,
   MOZILLA_PKIX_ERROR_INVALID_INTEGER_ENCODING = ERROR_BASE + 11,
   MOZILLA_PKIX_ERROR_EMPTY_ISSUER_NAME = ERROR_BASE + 12,
   MOZILLA_PKIX_ERROR_ADDITIONAL_POLICY_CONSTRAINT_FAILED = ERROR_BASE + 13,
   MOZILLA_PKIX_ERROR_SELF_SIGNED_CERT = ERROR_BASE + 14,
   MOZILLA_PKIX_ERROR_MITM_DETECTED = ERROR_BASE + 15,
   END_OF_LIST
 };

 void RegisterErrorTable();

 inline SECItem UnsafeMapInputToSECItem(Input input) {
   SECItem result = {siBuffer, const_cast<uint8_t*>(input.UnsafeGetData()),
                     input.GetLength()};
   static_assert(sizeof(decltype(input.GetLength())) <= sizeof(result.len),
                 "input.GetLength() must fit in a SECItem");
   return result;
 }
 }
 }  // namespace mozilla::pkix

 #endif  // mozilla_pkix_pkixnss_h
	/* -- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -- */
	/* vim: set ts=8 sts=2 et sw=2 tw=80: */
	/* This code is made available to you under your choice of the following sets
	* of licensing terms:
	*/
	/* This Source Code Form is subject to the terms of the Mozilla Public
	* License, v. 2.0. If a copy of the MPL was not distributed with this
	* file, You can obtain one at http://mozilla.org/MPL/2.0/.
	*/
	/* Copyright 2013 Mozilla Contributors
	*
	* Licensed under the Apache License, Version 2.0 (the "License");
	* you may not use this file except in compliance with the License.
	* You may obtain a copy of the License at
	*
	* http://www.apache.org/licenses/LICENSE-2.0
	*
	* Unless required by applicable law or agreed to in writing, software
	* distributed under the License is distributed on an "AS IS" BASIS,
	* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
	* See the License for the specific language governing permissions and
	* limitations under the License.
	*/

	#ifndef mozilla_pkix_pkixnss_h
	#define mozilla_pkix_pkixnss_h

	#include <seccomon.h>
	#include "mozpkix/pkixtypes.h"
	#include "prerror.h"

	namespace mozilla {
	namespace pkix {

	// Verifies the PKCS#1.5 signature on the given data using the given RSA public
	// key.
	Result VerifyRSAPKCS1SignedDigestNSS(const SignedDigest& sd,
	Input subjectPublicKeyInfo,
	void* pkcs11PinArg);

	// Verifies the ECDSA signature on the given data using the given ECC public
	// key.
	Result VerifyECDSASignedDigestNSS(const SignedDigest& sd,
	Input subjectPublicKeyInfo,
	void* pkcs11PinArg);

	// Computes the digest of the given data using the given digest algorithm.
	//
	// item contains the data to hash.
	// digestBuf must point to a buffer to where the digest will be written.
	// digestBufLen must be the size of the buffer, which must be exactly equal
	// to the size of the digest output (20 for SHA-1, 32 for SHA-256,
	// etc.)
	//
	// TODO: Taking the output buffer as (uint8_t*, size_t) is counter to our
	// other, extensive, memory safety efforts in mozilla::pkix, and we should find
	// a way to provide a more-obviously-safe interface.
	Result DigestBufNSS(Input item, DigestAlgorithm digestAlg,
	/out/ uint8_t* digestBuf, size_t digestBufLen);

	Result MapPRErrorCodeToResult(PRErrorCode errorCode);
	PRErrorCode MapResultToPRErrorCode(Result result);

	// The error codes within each module must fit in 16 bits. We want these
	// errors to fit in the same module as the NSS errors but not overlap with
	// any of them. Converting an NSS SEC, NSS SSL, or PSM error to an NS error
	// involves negating the value of the error and then synthesizing an error
	// in the NS_ERROR_MODULE_SECURITY module. Hence, PSM errors will start at
	// a negative value that both doesn't overlap with the current value
	// ranges for NSS errors and that will fit in 16 bits when negated.
	static const PRErrorCode ERROR_BASE = -0x4000;
	static const PRErrorCode ERROR_LIMIT = ERROR_BASE + 1000;

	enum ErrorCode {
	MOZILLA_PKIX_ERROR_KEY_PINNING_FAILURE = ERROR_BASE + 0,
	MOZILLA_PKIX_ERROR_CA_CERT_USED_AS_END_ENTITY = ERROR_BASE + 1,
	MOZILLA_PKIX_ERROR_INADEQUATE_KEY_SIZE = ERROR_BASE + 2,
	MOZILLA_PKIX_ERROR_V1_CERT_USED_AS_CA = ERROR_BASE + 3,
	MOZILLA_PKIX_ERROR_NO_RFC822NAME_MATCH = ERROR_BASE + 4,
	MOZILLA_PKIX_ERROR_NOT_YET_VALID_CERTIFICATE = ERROR_BASE + 5,
	MOZILLA_PKIX_ERROR_NOT_YET_VALID_ISSUER_CERTIFICATE = ERROR_BASE + 6,
	MOZILLA_PKIX_ERROR_SIGNATURE_ALGORITHM_MISMATCH = ERROR_BASE + 7,
	MOZILLA_PKIX_ERROR_OCSP_RESPONSE_FOR_CERT_MISSING = ERROR_BASE + 8,
	MOZILLA_PKIX_ERROR_VALIDITY_TOO_LONG = ERROR_BASE + 9,
	MOZILLA_PKIX_ERROR_REQUIRED_TLS_FEATURE_MISSING = ERROR_BASE + 10,
	MOZILLA_PKIX_ERROR_INVALID_INTEGER_ENCODING = ERROR_BASE + 11,
	MOZILLA_PKIX_ERROR_EMPTY_ISSUER_NAME = ERROR_BASE + 12,
	MOZILLA_PKIX_ERROR_ADDITIONAL_POLICY_CONSTRAINT_FAILED = ERROR_BASE + 13,
	MOZILLA_PKIX_ERROR_SELF_SIGNED_CERT = ERROR_BASE + 14,
	MOZILLA_PKIX_ERROR_MITM_DETECTED = ERROR_BASE + 15,
	END_OF_LIST
	};

	void RegisterErrorTable();

	inline SECItem UnsafeMapInputToSECItem(Input input) {
	SECItem result = {siBuffer, const_cast<uint8_t*>(input.UnsafeGetData()),
	input.GetLength()};
	static_assert(sizeof(decltype(input.GetLength())) <= sizeof(result.len),
	"input.GetLength() must fit in a SECItem");
	return result;
	}
	}
	} // namespace mozilla::pkix

	#endif // mozilla_pkix_pkixnss_h