From 5f8de423f190bbb79a62f804151bc24824fa32d8 Mon Sep 17 00:00:00 2001
From: "Matt A. Tobin" <mattatobin@localhost.localdomain>
Date: Fri, 2 Feb 2018 04:16:08 -0500
Subject: Add m-esr52 at 52.6.0

---
 .../certverifier/OCSPVerificationTrustDomain.cpp   | 128 +++++++++++++++++++++
 1 file changed, 128 insertions(+)
 create mode 100644 security/certverifier/OCSPVerificationTrustDomain.cpp

(limited to 'security/certverifier/OCSPVerificationTrustDomain.cpp')

diff --git a/security/certverifier/OCSPVerificationTrustDomain.cpp b/security/certverifier/OCSPVerificationTrustDomain.cpp
new file mode 100644
index 000000000..fa018458c
--- /dev/null
+++ b/security/certverifier/OCSPVerificationTrustDomain.cpp
@@ -0,0 +1,128 @@
+/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
+/* vim: set ts=8 sts=2 et sw=2 tw=80: */
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+#include "OCSPVerificationTrustDomain.h"
+
+using namespace mozilla;
+using namespace mozilla::pkix;
+
+namespace mozilla { namespace psm {
+
+OCSPVerificationTrustDomain::OCSPVerificationTrustDomain(
+  NSSCertDBTrustDomain& certDBTrustDomain)
+  : mCertDBTrustDomain(certDBTrustDomain)
+{
+}
+
+Result
+OCSPVerificationTrustDomain::GetCertTrust(EndEntityOrCA endEntityOrCA,
+                                          const CertPolicyId& policy,
+                                          Input candidateCertDER,
+                                  /*out*/ TrustLevel& trustLevel)
+{
+  return mCertDBTrustDomain.GetCertTrust(endEntityOrCA, policy,
+                                         candidateCertDER, trustLevel);
+}
+
+
+Result
+OCSPVerificationTrustDomain::FindIssuer(Input, IssuerChecker&, Time)
+{
+  // We do not expect this to be called for OCSP signers
+  return Result::FATAL_ERROR_LIBRARY_FAILURE;
+}
+
+Result
+OCSPVerificationTrustDomain::IsChainValid(const DERArray&, Time)
+{
+  // We do not expect this to be called for OCSP signers
+  return Result::FATAL_ERROR_LIBRARY_FAILURE;
+}
+
+Result
+OCSPVerificationTrustDomain::CheckRevocation(EndEntityOrCA, const CertID&,
+                                             Time, Duration, const Input*,
+                                             const Input*)
+{
+  // We do not expect this to be called for OCSP signers
+  return Result::FATAL_ERROR_LIBRARY_FAILURE;
+}
+
+Result
+OCSPVerificationTrustDomain::CheckSignatureDigestAlgorithm(
+  DigestAlgorithm aAlg, EndEntityOrCA aEEOrCA, Time notBefore)
+{
+  // The reason for wrapping the NSSCertDBTrustDomain in an
+  // OCSPVerificationTrustDomain is to allow us to bypass the weaker signature
+  // algorithm check - thus all allowable signature digest algorithms should
+  // always be accepted. This is only needed while we gather telemetry on SHA-1.
+  return Success;
+}
+
+Result
+OCSPVerificationTrustDomain::CheckRSAPublicKeyModulusSizeInBits(
+  EndEntityOrCA aEEOrCA, unsigned int aModulusSizeInBits)
+{
+  return mCertDBTrustDomain.
+      CheckRSAPublicKeyModulusSizeInBits(aEEOrCA, aModulusSizeInBits);
+}
+
+Result
+OCSPVerificationTrustDomain::VerifyRSAPKCS1SignedDigest(
+  const SignedDigest& aSignedDigest, Input aSubjectPublicKeyInfo)
+{
+  return mCertDBTrustDomain.VerifyRSAPKCS1SignedDigest(aSignedDigest,
+                                                       aSubjectPublicKeyInfo);
+}
+
+Result
+OCSPVerificationTrustDomain::CheckECDSACurveIsAcceptable(
+  EndEntityOrCA aEEOrCA, NamedCurve aCurve)
+{
+  return mCertDBTrustDomain.CheckECDSACurveIsAcceptable(aEEOrCA, aCurve);
+}
+
+Result
+OCSPVerificationTrustDomain::VerifyECDSASignedDigest(
+  const SignedDigest& aSignedDigest, Input aSubjectPublicKeyInfo)
+{
+  return mCertDBTrustDomain.VerifyECDSASignedDigest(aSignedDigest,
+                                                    aSubjectPublicKeyInfo);
+}
+
+Result
+OCSPVerificationTrustDomain::CheckValidityIsAcceptable(
+  Time notBefore, Time notAfter, EndEntityOrCA endEntityOrCA,
+  KeyPurposeId keyPurpose)
+{
+  return mCertDBTrustDomain.CheckValidityIsAcceptable(notBefore, notAfter,
+                                                      endEntityOrCA,
+                                                      keyPurpose);
+}
+
+Result
+OCSPVerificationTrustDomain::NetscapeStepUpMatchesServerAuth(Time notBefore,
+                                                     /*out*/ bool& matches)
+{
+  return mCertDBTrustDomain.NetscapeStepUpMatchesServerAuth(notBefore, matches);
+}
+
+void
+OCSPVerificationTrustDomain::NoteAuxiliaryExtension(
+  AuxiliaryExtension extension, Input extensionData)
+{
+  mCertDBTrustDomain.NoteAuxiliaryExtension(extension, extensionData);
+}
+
+Result
+OCSPVerificationTrustDomain::DigestBuf(
+  Input item, DigestAlgorithm digestAlg,
+  /*out*/ uint8_t* digestBuf, size_t digestBufLen)
+{
+  return mCertDBTrustDomain.DigestBuf(item, digestAlg, digestBuf, digestBufLen);
+}
+
+} } // namespace mozilla::psm
-- 
cgit v1.2.3