/usr/include/firefox-esr-52/BRNameMatchingPolicy.h is in firefox-esr-dev 52.8.1esr-1~deb8u1.
This file is owned by root:root, with mode 0o644.
The actual contents of the file can be viewed below.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 | /* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
/* vim: set ts=8 sts=2 et sw=2 tw=80: */
/* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/. */
#ifndef BRNameMatchingPolicy_h
#define BRNameMatchingPolicy_h
#include "pkix/pkixtypes.h"
namespace mozilla { namespace psm {
// According to the Baseline Requirements version 1.3.3 section 7.1.4.2.2.a,
// the requirements of the subject common name field are as follows:
// "If present, this field MUST contain a single IP address or Fully‐Qualified
// Domain Name that is one of the values contained in the Certificate’s
// subjectAltName extension". Consequently, since any name information present
// in the common name must be present in the subject alternative name extension,
// when performing name matching, it should not be necessary to fall back to the
// common name. Because this consequence has not commonly been enforced, this
// implementation provides a mechanism to start enforcing it gradually while
// maintaining some backwards compatibility. If configured with the mode
// "EnforceAfter23August2016", name matching will only fall back to using the
// subject common name for certificates where the notBefore field is before 23
// August 2016. Similarly, the mode "EnforceAfter23August2015" is also
// available. This is to provide a balance between allowing preexisting
// long-lived certificates and detecting newly-issued problematic certificates.
// Note that this implementation does not actually directly enforce that if the
// subject common name is present, its value corresponds to a dNSName or
// iPAddress entry in the subject alternative name extension.
class BRNameMatchingPolicy : public mozilla::pkix::NameMatchingPolicy
{
public:
enum class Mode {
DoNotEnforce = 0,
EnforceAfter23August2016 = 1,
EnforceAfter23August2015 = 2,
Enforce = 3,
};
explicit BRNameMatchingPolicy(Mode mode)
: mMode(mode)
{
}
virtual mozilla::pkix::Result FallBackToCommonName(
mozilla::pkix::Time notBefore,
/*out*/ mozilla::pkix::FallBackToSearchWithinSubject& fallBacktoCommonName)
override;
private:
Mode mMode;
};
} } // namespace mozilla::psm
#endif // BRNameMatchingPolicy_h
|