summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorFranziskus Kiefer <franziskuskiefer@gmail.com>2018-08-03 12:11:13 +0200
committerFranziskus Kiefer <franziskuskiefer@gmail.com>2018-08-03 12:11:13 +0200
commitdd5e833c06563f2b8af5c60f2f0493959d2eeb78 (patch)
tree46f4249a2be0186fe90359ae9909a7b545f12408
parent3d77547100b65036e847925ea82fba1f4b16eb20 (diff)
downloadnss-hg-dd5e833c06563f2b8af5c60f2f0493959d2eeb78.tar.gz
Bug 1479787 - clang-format, r=mt,keeler
Differential Revision: https://phabricator.services.mozilla.com/D2721
Diffstat
-rw-r--r--gtests/mozpkix_gtest/pkixgtest.h128
-rw-r--r--lib/mozpkix/include/pkix-test/pkixtestnss.h13
-rw-r--r--lib/mozpkix/include/pkix-test/pkixtestutil.h207
-rw-r--r--lib/mozpkix/include/pkix/Input.h124
-rw-r--r--lib/mozpkix/include/pkix/Result.h248
-rw-r--r--lib/mozpkix/include/pkix/Time.h84
-rw-r--r--lib/mozpkix/include/pkix/pkix.h29
-rw-r--r--lib/mozpkix/include/pkix/pkixcheck.h25
-rw-r--r--lib/mozpkix/include/pkix/pkixder.h258
-rw-r--r--lib/mozpkix/include/pkix/pkixnss.h28
-rw-r--r--lib/mozpkix/include/pkix/pkixtypes.h148
-rw-r--r--lib/mozpkix/include/pkix/pkixutil.h138
-rw-r--r--nss-tool/enc/enctool.h2
13 files changed, 598 insertions, 834 deletions
diff --git a/gtests/mozpkix_gtest/pkixgtest.h b/gtests/mozpkix_gtest/pkixgtest.h
index 4f362e78b..bb3491d44 100644
--- a/gtests/mozpkix_gtest/pkixgtest.h
+++ b/gtests/mozpkix_gtest/pkixgtest.h
@@ -40,10 +40,10 @@
#pragma warning(push, 3)
// C4224: Nonstandard extension used: formal parameter 'X' was previously
// defined as a type.
-#pragma warning(disable: 4224)
+#pragma warning(disable : 4224)
// C4826: Conversion from 'type1 ' to 'type_2' is sign - extended. This may
// cause unexpected runtime behavior.
-#pragma warning(disable: 4826)
+#pragma warning(disable : 4826)
#endif
#include "gtest/gtest.h"
@@ -60,11 +60,10 @@
#include "mozpkix/test/pkixtestutil.h"
// PrintTo must be in the same namespace as the type we're overloading it for.
-namespace mozilla { namespace pkix {
+namespace mozilla {
+namespace pkix {
-inline void
-PrintTo(const Result& result, ::std::ostream* os)
-{
+inline void PrintTo(const Result& result, ::std::ostream* os) {
const char* stringified = MapResultToName(result);
if (stringified) {
*os << stringified;
@@ -72,10 +71,12 @@ PrintTo(const Result& result, ::std::ostream* os)
*os << "mozilla::pkix::Result(" << static_cast<unsigned int>(result) << ")";
}
}
+}
+} // namespace mozilla::pkix
-} } // namespace mozilla::pkix
-
-namespace mozilla { namespace pkix { namespace test {
+namespace mozilla {
+namespace pkix {
+namespace test {
extern const std::time_t oneDayBeforeNow;
extern const std::time_t oneDayAfterNow;
@@ -84,172 +85,145 @@ extern const std::time_t twoDaysAfterNow;
extern const std::time_t tenDaysBeforeNow;
extern const std::time_t tenDaysAfterNow;
-
-class EverythingFailsByDefaultTrustDomain : public TrustDomain
-{
-public:
- Result GetCertTrust(EndEntityOrCA, const CertPolicyId&,
- Input, /*out*/ TrustLevel&) override
- {
+class EverythingFailsByDefaultTrustDomain : public TrustDomain {
+ public:
+ Result GetCertTrust(EndEntityOrCA, const CertPolicyId&, Input,
+ /*out*/ TrustLevel&) override {
ADD_FAILURE();
return NotReached("GetCertTrust should not be called",
Result::FATAL_ERROR_LIBRARY_FAILURE);
}
- Result FindIssuer(Input, IssuerChecker&, Time) override
- {
+ Result FindIssuer(Input, IssuerChecker&, Time) override {
ADD_FAILURE();
return NotReached("FindIssuer should not be called",
Result::FATAL_ERROR_LIBRARY_FAILURE);
}
Result CheckRevocation(EndEntityOrCA, const CertID&, Time, Duration,
- /*optional*/ const Input*,
- /*optional*/ const Input*) override
- {
+ /*optional*/ const Input*,
+ /*optional*/ const Input*) override {
ADD_FAILURE();
return NotReached("CheckRevocation should not be called",
Result::FATAL_ERROR_LIBRARY_FAILURE);
}
- Result IsChainValid(const DERArray&, Time, const CertPolicyId&) override
- {
+ Result IsChainValid(const DERArray&, Time, const CertPolicyId&) override {
ADD_FAILURE();
return NotReached("IsChainValid should not be called",
Result::FATAL_ERROR_LIBRARY_FAILURE);
}
- Result DigestBuf(Input, DigestAlgorithm, /*out*/ uint8_t*, size_t) override
- {
+ Result DigestBuf(Input, DigestAlgorithm, /*out*/ uint8_t*, size_t) override {
ADD_FAILURE();
return NotReached("DigestBuf should not be called",
Result::FATAL_ERROR_LIBRARY_FAILURE);
}
- Result CheckSignatureDigestAlgorithm(DigestAlgorithm,
- EndEntityOrCA,
- Time) override
- {
+ Result CheckSignatureDigestAlgorithm(DigestAlgorithm, EndEntityOrCA,
+ Time) override {
ADD_FAILURE();
return NotReached("CheckSignatureDigestAlgorithm should not be called",
Result::FATAL_ERROR_LIBRARY_FAILURE);
}
- Result CheckECDSACurveIsAcceptable(EndEntityOrCA, NamedCurve) override
- {
+ Result CheckECDSACurveIsAcceptable(EndEntityOrCA, NamedCurve) override {
ADD_FAILURE();
return NotReached("CheckECDSACurveIsAcceptable should not be called",
Result::FATAL_ERROR_LIBRARY_FAILURE);
}
- Result VerifyECDSASignedDigest(const SignedDigest&, Input) override
- {
+ Result VerifyECDSASignedDigest(const SignedDigest&, Input) override {
ADD_FAILURE();
return NotReached("VerifyECDSASignedDigest should not be called",
Result::FATAL_ERROR_LIBRARY_FAILURE);
}
- Result CheckRSAPublicKeyModulusSizeInBits(EndEntityOrCA, unsigned int)
- override
- {
+ Result CheckRSAPublicKeyModulusSizeInBits(EndEntityOrCA,
+ unsigned int) override {
ADD_FAILURE();
return NotReached("CheckRSAPublicKeyModulusSizeInBits should not be called",
Result::FATAL_ERROR_LIBRARY_FAILURE);
}
- Result VerifyRSAPKCS1SignedDigest(const SignedDigest&, Input) override
- {
+ Result VerifyRSAPKCS1SignedDigest(const SignedDigest&, Input) override {
ADD_FAILURE();
return NotReached("VerifyRSAPKCS1SignedDigest should not be called",
Result::FATAL_ERROR_LIBRARY_FAILURE);
}
- Result CheckValidityIsAcceptable(Time, Time, EndEntityOrCA, KeyPurposeId)
- override
- {
+ Result CheckValidityIsAcceptable(Time, Time, EndEntityOrCA,
+ KeyPurposeId) override {
ADD_FAILURE();
return NotReached("CheckValidityIsAcceptable should not be called",
Result::FATAL_ERROR_LIBRARY_FAILURE);
}
- Result NetscapeStepUpMatchesServerAuth(Time, bool&) override
- {
+ Result NetscapeStepUpMatchesServerAuth(Time, bool&) override {
ADD_FAILURE();
return NotReached("NetscapeStepUpMatchesServerAuth should not be called",
Result::FATAL_ERROR_LIBRARY_FAILURE);
}
- virtual void NoteAuxiliaryExtension(AuxiliaryExtension, Input) override
- {
+ virtual void NoteAuxiliaryExtension(AuxiliaryExtension, Input) override {
ADD_FAILURE();
}
};
-class DefaultCryptoTrustDomain : public EverythingFailsByDefaultTrustDomain
-{
+class DefaultCryptoTrustDomain : public EverythingFailsByDefaultTrustDomain {
Result DigestBuf(Input item, DigestAlgorithm digestAlg,
- /*out*/ uint8_t* digestBuf, size_t digestBufLen) override
- {
+ /*out*/ uint8_t* digestBuf, size_t digestBufLen) override {
return TestDigestBuf(item, digestAlg, digestBuf, digestBufLen);
}
- Result CheckSignatureDigestAlgorithm(DigestAlgorithm, EndEntityOrCA, Time)
- override
- {
+ Result CheckSignatureDigestAlgorithm(DigestAlgorithm, EndEntityOrCA,
+ Time) override {
return Success;
}
- Result CheckECDSACurveIsAcceptable(EndEntityOrCA, NamedCurve) override
- {
+ Result CheckECDSACurveIsAcceptable(EndEntityOrCA, NamedCurve) override {
return Success;
}
Result VerifyECDSASignedDigest(const SignedDigest& signedDigest,
- Input subjectPublicKeyInfo) override
- {
+ Input subjectPublicKeyInfo) override {
return TestVerifyECDSASignedDigest(signedDigest, subjectPublicKeyInfo);
}
- Result CheckRSAPublicKeyModulusSizeInBits(EndEntityOrCA, unsigned int)
- override
- {
+ Result CheckRSAPublicKeyModulusSizeInBits(EndEntityOrCA,
+ unsigned int) override {
return Success;
}
Result VerifyRSAPKCS1SignedDigest(const SignedDigest& signedDigest,
- Input subjectPublicKeyInfo) override
- {
+ Input subjectPublicKeyInfo) override {
return TestVerifyRSAPKCS1SignedDigest(signedDigest, subjectPublicKeyInfo);
}
- Result CheckValidityIsAcceptable(Time, Time, EndEntityOrCA, KeyPurposeId)
- override
- {
+ Result CheckValidityIsAcceptable(Time, Time, EndEntityOrCA,
+ KeyPurposeId) override {
return Success;
}
- Result NetscapeStepUpMatchesServerAuth(Time, /*out*/ bool& matches) override
- {
+ Result NetscapeStepUpMatchesServerAuth(Time, /*out*/ bool& matches) override {
matches = true;
return Success;
}
- void NoteAuxiliaryExtension(AuxiliaryExtension, Input) override
- {
- }
+ void NoteAuxiliaryExtension(AuxiliaryExtension, Input) override {}
};
-class DefaultNameMatchingPolicy : public NameMatchingPolicy
-{
-public:
+class DefaultNameMatchingPolicy : public NameMatchingPolicy {
+ public:
virtual Result FallBackToCommonName(
- Time, /*out*/ FallBackToSearchWithinSubject& fallBackToCommonName) override
- {
+ Time,
+ /*out*/ FallBackToSearchWithinSubject& fallBackToCommonName) override {
fallBackToCommonName = FallBackToSearchWithinSubject::Yes;
return Success;
}
};
+}
+}
+} // namespace mozilla::pkix::test
-} } } // namespace mozilla::pkix::test
-
-#endif // mozilla_pkix_pkixgtest_h
+#endif // mozilla_pkix_pkixgtest_h
diff --git a/lib/mozpkix/include/pkix-test/pkixtestnss.h b/lib/mozpkix/include/pkix-test/pkixtestnss.h
index 199659d7f..5ae776f6a 100644
--- a/lib/mozpkix/include/pkix-test/pkixtestnss.h
+++ b/lib/mozpkix/include/pkix-test/pkixtestnss.h
@@ -31,15 +31,18 @@
#include <keyhi.h>
#include <keythi.h>
-#include "mozpkix/test/pkixtestutil.h"
#include "mozpkix/nss_scoped_ptrs.h"
+#include "mozpkix/test/pkixtestutil.h"
-namespace mozilla { namespace pkix { namespace test {
+namespace mozilla {
+namespace pkix {
+namespace test {
TestKeyPair* CreateTestKeyPair(const TestPublicKeyAlgorithm publicKeyAlg,
const ScopedSECKEYPublicKey& publicKey,
const ScopedSECKEYPrivateKey& privateKey);
+}
+}
+} // namespace mozilla::pkix::test
-} } } // namespace mozilla::pkix::test
-
-#endif // mozilla_pkix_test_pkixtestnss_h
+#endif // mozilla_pkix_test_pkixtestnss_h
diff --git a/lib/mozpkix/include/pkix-test/pkixtestutil.h b/lib/mozpkix/include/pkix-test/pkixtestutil.h
index f917341ff..55c435419 100644
--- a/lib/mozpkix/include/pkix-test/pkixtestutil.h
+++ b/lib/mozpkix/include/pkix-test/pkixtestutil.h
@@ -25,23 +25,23 @@
#ifndef mozilla_pkix_test_pkixtestutil_h
#define mozilla_pkix_test_pkixtestutil_h
-#include <ctime>
#include <cstdint>
-#include <string>
#include <cstring>
+#include <ctime>
+#include <string>
#include "mozpkix/pkixtypes.h"
-namespace mozilla { namespace pkix { namespace test {
+namespace mozilla {
+namespace pkix {
+namespace test {
typedef std::basic_string<uint8_t> ByteString;
inline bool ENCODING_FAILED(const ByteString& bs) { return bs.empty(); }
template <size_t L>
-inline ByteString
-BytesToByteString(const uint8_t (&bytes)[L])
-{
+inline ByteString BytesToByteString(const uint8_t (&bytes)[L]) {
return ByteString(bytes, L);
}
@@ -64,17 +64,14 @@ bool InputEqualsByteString(Input input, const ByteString& bs);
ByteString InputToByteString(Input input);
// python DottedOIDToCode.py --tlv id-kp-OCSPSigning 1.3.6.1.5.5.7.3.9
-static const uint8_t tlv_id_kp_OCSPSigning[] = {
- 0x06, 0x08, 0x2b, 0x06, 0x01, 0x05, 0x05, 0x07, 0x03, 0x09
-};
+static const uint8_t tlv_id_kp_OCSPSigning[] = {0x06, 0x08, 0x2b, 0x06, 0x01,
+ 0x05, 0x05, 0x07, 0x03, 0x09};
// python DottedOIDToCode.py --tlv id-kp-serverAuth 1.3.6.1.5.5.7.3.1
-static const uint8_t tlv_id_kp_serverAuth[] = {
- 0x06, 0x08, 0x2b, 0x06, 0x01, 0x05, 0x05, 0x07, 0x03, 0x01
-};
+static const uint8_t tlv_id_kp_serverAuth[] = {0x06, 0x08, 0x2b, 0x06, 0x01,
+ 0x05, 0x05, 0x07, 0x03, 0x01};
-enum class TestDigestAlgorithmID
-{
+enum class TestDigestAlgorithmID {
MD2,
MD5,
SHA1,
@@ -84,12 +81,10 @@ enum class TestDigestAlgorithmID
SHA512,
};
-struct TestPublicKeyAlgorithm
-{
+struct TestPublicKeyAlgorithm {
explicit TestPublicKeyAlgorithm(const ByteString& aAlgorithmIdentifier)
- : algorithmIdentifier(aAlgorithmIdentifier) { }
- bool operator==(const TestPublicKeyAlgorithm& other) const
- {
+ : algorithmIdentifier(aAlgorithmIdentifier) {}
+ bool operator==(const TestPublicKeyAlgorithm& other) const {
return algorithmIdentifier == other.algorithmIdentifier;
}
ByteString algorithmIdentifier;
@@ -102,12 +97,10 @@ ByteString DSS_G();
TestPublicKeyAlgorithm DSS();
TestPublicKeyAlgorithm RSA_PKCS1();
-struct TestSignatureAlgorithm
-{
+struct TestSignatureAlgorithm {
TestSignatureAlgorithm(const TestPublicKeyAlgorithm& publicKeyAlg,
TestDigestAlgorithmID digestAlg,
- const ByteString& algorithmIdentifier,
- bool accepted);
+ const ByteString& algorithmIdentifier, bool accepted);
TestPublicKeyAlgorithm publicKeyAlg;
TestDigestAlgorithmID digestAlg;
@@ -126,9 +119,7 @@ mozilla::pkix::Time YMDHMS(uint16_t year, uint16_t month, uint16_t day,
ByteString TLV(uint8_t tag, size_t length, const ByteString& value);
-inline ByteString
-TLV(uint8_t tag, const ByteString& value)
-{
+inline ByteString TLV(uint8_t tag, const ByteString& value) {
return TLV(tag, value.length(), value);
}
@@ -137,18 +128,14 @@ TLV(uint8_t tag, const ByteString& value)
// string literals as the last parameter to the following two functions.
template <size_t N>
-inline ByteString
-TLV(uint8_t tag, const char(&value)[N])
-{
+inline ByteString TLV(uint8_t tag, const char (&value)[N]) {
static_assert(N > 0, "cannot have string literal of size 0");
assert(value[N - 1] == 0);
return TLV(tag, ByteString(reinterpret_cast<const uint8_t*>(&value), N - 1));
}
template <size_t N>
-inline ByteString
-TLV(uint8_t tag, size_t length, const char(&value)[N])
-{
+inline ByteString TLV(uint8_t tag, size_t length, const char (&value)[N]) {
static_assert(N > 0, "cannot have string literal of size 0");
assert(value[N - 1] == 0);
return TLV(tag, length,
@@ -160,29 +147,27 @@ ByteString Integer(long value);
ByteString CN(const ByteString&, uint8_t encodingTag = 0x0c /*UTF8String*/);
-inline ByteString
-CN(const char* value, uint8_t encodingTag = 0x0c /*UTF8String*/)
-{
- return CN(ByteString(reinterpret_cast<const uint8_t*>(value),
- std::strlen(value)), encodingTag);
+inline ByteString CN(const char* value,
+ uint8_t encodingTag = 0x0c /*UTF8String*/) {
+ return CN(
+ ByteString(reinterpret_cast<const uint8_t*>(value), std::strlen(value)),
+ encodingTag);
}
ByteString OU(const ByteString&, uint8_t encodingTag = 0x0c /*UTF8String*/);
-inline ByteString
-OU(const char* value, uint8_t encodingTag = 0x0c /*UTF8String*/)
-{
- return OU(ByteString(reinterpret_cast<const uint8_t*>(value),
- std::strlen(value)), encodingTag);
+inline ByteString OU(const char* value,
+ uint8_t encodingTag = 0x0c /*UTF8String*/) {
+ return OU(
+ ByteString(reinterpret_cast<const uint8_t*>(value), std::strlen(value)),
+ encodingTag);
}
ByteString emailAddress(const ByteString&);
-inline ByteString
-emailAddress(const char* value)
-{
- return emailAddress(ByteString(reinterpret_cast<const uint8_t*>(value),
- std::strlen(value)));
+inline ByteString emailAddress(const char* value) {
+ return emailAddress(
+ ByteString(reinterpret_cast<const uint8_t*>(value), std::strlen(value)));
}
// RelativeDistinguishedName ::=
@@ -197,17 +182,11 @@ ByteString RDN(const ByteString& avas);
//
ByteString Name(const ByteString& rdns);
-inline ByteString
-CNToDERName(const ByteString& cn)
-{
+inline ByteString CNToDERName(const ByteString& cn) {
return Name(RDN(CN(cn)));
}
-inline ByteString
-CNToDERName(const char* cn)
-{
- return Name(RDN(CN(cn)));
-}
+inline ByteString CNToDERName(const char* cn) { return Name(RDN(CN(cn))); }
// GeneralName ::= CHOICE {
// otherName [0] OtherName,
@@ -220,55 +199,40 @@ CNToDERName(const char* cn)
// iPAddress [7] OCTET STRING,
// registeredID [8] OBJECT IDENTIFIER }
-inline ByteString
-RFC822Name(const ByteString& name)
-{
+inline ByteString RFC822Name(const ByteString& name) {
// (2 << 6) means "context-specific", 1 is the GeneralName tag.
return TLV((2 << 6) | 1, name);
}
template <size_t L>
-inline ByteString
-RFC822Name(const char (&bytes)[L])
-{
- return RFC822Name(ByteString(reinterpret_cast<const uint8_t*>(&bytes),
- L - 1));
+inline ByteString RFC822Name(const char (&bytes)[L]) {
+ return RFC822Name(
+ ByteString(reinterpret_cast<const uint8_t*>(&bytes), L - 1));
}
-inline ByteString
-DNSName(const ByteString& name)
-{
+inline ByteString DNSName(const ByteString& name) {
// (2 << 6) means "context-specific", 2 is the GeneralName tag.
return TLV((2 << 6) | 2, name);
}
template <size_t L>
-inline ByteString
-DNSName(const char (&bytes)[L])
-{
- return DNSName(ByteString(reinterpret_cast<const uint8_t*>(&bytes),
- L - 1));
+inline ByteString DNSName(const char (&bytes)[L]) {
+ return DNSName(ByteString(reinterpret_cast<const uint8_t*>(&bytes), L - 1));
}
-inline ByteString
-DirectoryName(const ByteString& name)
-{
+inline ByteString DirectoryName(const ByteString& name) {
// (2 << 6) means "context-specific", (1 << 5) means "constructed", and 4 is
// the DirectoryName tag.
return TLV((2 << 6) | (1 << 5) | 4, name);
}
-inline ByteString
-IPAddress()
-{
+inline ByteString IPAddress() {
// (2 << 6) means "context-specific", 7 is the GeneralName tag.
return TLV((2 << 6) | 7, ByteString());
}
template <size_t L>
-inline ByteString
-IPAddress(const uint8_t (&bytes)[L])
-{
+inline ByteString IPAddress(const uint8_t (&bytes)[L]) {
// (2 << 6) means "context-specific", 7 is the GeneralName tag.
return TLV((2 << 6) | 7, ByteString(bytes, L));
}
@@ -282,10 +246,9 @@ IPAddress(const uint8_t (&bytes)[L])
ByteString CreateEncodedSubjectAltName(const ByteString& names);
ByteString CreateEncodedEmptySubjectAltName();
-class TestKeyPair
-{
-public:
- virtual ~TestKeyPair() { }
+class TestKeyPair {
+ public:
+ virtual ~TestKeyPair() {}
const TestPublicKeyAlgorithm publicKeyAlg;
@@ -302,8 +265,10 @@ public:
/*out*/ ByteString& signature) const = 0;
virtual TestKeyPair* Clone() const = 0;
-protected:
- TestKeyPair(const TestPublicKeyAlgorithm& publicKeyAlg, const ByteString& spk);
+
+ protected:
+ TestKeyPair(const TestPublicKeyAlgorithm& publicKeyAlg,
+ const ByteString& spk);
TestKeyPair(const TestKeyPair&) = delete;
void operator=(const TestKeyPair&) = delete;
};
@@ -347,24 +312,21 @@ enum Version { v1 = 0, v2 = 1, v3 = 2 };
// extensions must point to an array of ByteStrings, terminated with an empty
// ByteString. (If the first item of the array is empty then an empty
// Extensions sequence will be encoded.)
-ByteString CreateEncodedCertificate(long version,
- const TestSignatureAlgorithm& signature,
- const ByteString& serialNumber,
- const ByteString& issuerNameDER,
- time_t notBefore, time_t notAfter,
- const ByteString& subjectNameDER,
- const TestKeyPair& subjectKeyPair,
- /*optional*/ const ByteString* extensions,
- const TestKeyPair& issuerKeyPair,
- const TestSignatureAlgorithm& signatureAlgorithm);
+ByteString CreateEncodedCertificate(
+ long version, const TestSignatureAlgorithm& signature,
+ const ByteString& serialNumber, const ByteString& issuerNameDER,
+ time_t notBefore, time_t notAfter, const ByteString& subjectNameDER,
+ const TestKeyPair& subjectKeyPair,
+ /*optional*/ const ByteString* extensions, const TestKeyPair& issuerKeyPair,
+ const TestSignatureAlgorithm& signatureAlgorithm);
ByteString CreateEncodedSerialNumber(long value);
enum class Critical { No = 0, Yes = 1 };
-ByteString CreateEncodedBasicConstraints(bool isCA,
- /*optional in*/ const long* pathLenConstraint,
- Critical critical);
+ByteString CreateEncodedBasicConstraints(
+ bool isCA,
+ /*optional in*/ const long* pathLenConstraint, Critical critical);
// Creates a DER-encoded extKeyUsage extension with one EKU OID.
ByteString CreateEncodedEKUExtension(Input eku, Critical critical);
@@ -372,9 +334,8 @@ ByteString CreateEncodedEKUExtension(Input eku, Critical critical);
///////////////////////////////////////////////////////////////////////////////
// Encode OCSP responses
-class OCSPResponseExtension final
-{
-public:
+class OCSPResponseExtension final {
+ public:
OCSPResponseExtension();
ByteString id;
@@ -383,9 +344,8 @@ public:
OCSPResponseExtension* next;
};
-class OCSPResponseContext final
-{
-public:
+class OCSPResponseContext final {
+ public:
OCSPResponseContext(const CertID& certID, std::time_t time);
const CertID& certID;
@@ -393,8 +353,7 @@ public:
// The fields below are in the order that they appear in an OCSP response.
- enum OCSPResponseStatus
- {
+ enum OCSPResponseStatus {
successful = 0,
malformedRequest = 1,
internalError = 2,
@@ -403,13 +362,13 @@ public:
sigRequired = 5,
unauthorized = 6,
};
- uint8_t responseStatus; // an OCSPResponseStatus or an invalid value
- bool skipResponseBytes; // If true, don't include responseBytes
+ uint8_t responseStatus; // an OCSPResponseStatus or an invalid value
+ bool skipResponseBytes; // If true, don't include responseBytes
// responderID
- ByteString signerNameDER; // If set, responderID will use the byName
- // form; otherwise responderID will use the
- // byKeyHash form.
+ ByteString signerNameDER; // If set, responderID will use the byName
+ // form; otherwise responderID will use the
+ // byKeyHash form.
std::time_t producedAt;
@@ -417,31 +376,31 @@ public:
OCSPResponseExtension* singleExtensions;
// ResponseData extensions.
OCSPResponseExtension* responseExtensions;
- bool includeEmptyExtensions; // If true, include the extension wrapper
- // regardless of if there are any actual
- // extensions.
+ bool includeEmptyExtensions; // If true, include the extension wrapper
+ // regardless of if there are any actual
+ // extensions.
ScopedTestKeyPair signerKeyPair;
TestSignatureAlgorithm signatureAlgorithm;
- bool badSignature; // If true, alter the signature to fail verification
- const ByteString* certs; // optional; array terminated by an empty string
+ bool badSignature; // If true, alter the signature to fail verification
+ const ByteString* certs; // optional; array terminated by an empty string
// The following fields are on a per-SingleResponse basis. In the future we
// may support including multiple SingleResponses per response.
- enum CertStatus
- {
+ enum CertStatus {
good = 0,
revoked = 1,
unknown = 2,
};
- uint8_t certStatus; // CertStatus or an invalid value
- std::time_t revocationTime; // For certStatus == revoked
+ uint8_t certStatus; // CertStatus or an invalid value
+ std::time_t revocationTime; // For certStatus == revoked
std::time_t thisUpdate;
std::time_t nextUpdate;
bool includeNextUpdate;
};
ByteString CreateEncodedOCSPResponse(OCSPResponseContext& context);
+}
+}
+} // namespace mozilla::pkix::test
-} } } // namespace mozilla::pkix::test
-
-#endif // mozilla_pkix_test_pkixtestutil_h
+#endif // mozilla_pkix_test_pkixtestutil_h
diff --git a/lib/mozpkix/include/pkix/Input.h b/lib/mozpkix/include/pkix/Input.h
index df9365264..11b2a0f7e 100644
--- a/lib/mozpkix/include/pkix/Input.h
+++ b/lib/mozpkix/include/pkix/Input.h
@@ -30,7 +30,8 @@
#include "mozpkix/Result.h"
#include "stdint.h"
-namespace mozilla { namespace pkix {
+namespace mozilla {
+namespace pkix {
class Reader;
@@ -49,9 +50,8 @@ class Reader;
//
// Note that in the example, GoodExample has the same performance
// characteristics as WorseExample, but with much better safety guarantees.
-class Input final
-{
-public:
+class Input final {
+ public:
typedef uint16_t size_type;
// This constructor is useful for inputs that are statically known to be of a
@@ -66,26 +66,17 @@ public:
// Input expected;
// Result rv = expected.Init(EXPECTED_BYTES, sizeof EXPECTED_BYTES);
template <size_type N>
- explicit Input(const uint8_t (&aData)[N])
- : data(aData)
- , len(N)
- {
- }
+ explicit Input(const uint8_t (&aData)[N]) : data(aData), len(N) {}
// Construct a valid, empty, Init-able Input.
- Input()
- : data(nullptr)
- , len(0u)
- {
- }
+ Input() : data(nullptr), len(0u) {}
// This is intentionally not explicit in order to allow value semantics.
Input(const Input&) = default;
// Initialize the input. data must be non-null and len must be less than
// 65536. Init may not be called more than once.
- Result Init(const uint8_t* aData, size_t aLen)
- {
+ Result Init(const uint8_t* aData, size_t aLen) {
if (this->data) {
// already initialized
return Result::FATAL_ERROR_INVALID_ARGS;
@@ -107,10 +98,7 @@ public:
// This is basically operator=, but it wasn't given that name because
// normally callers do not check the result of operator=, and normally
// operator= can be used multiple times.
- Result Init(Input other)
- {
- return Init(other.data, other.len);
- }
+ Result Init(Input other) { return Init(other.data, other.len); }
// Returns the length of the input.
//
@@ -122,18 +110,17 @@ public:
// don't want to declare in this header file.
const uint8_t* UnsafeGetData() const { return data; }
-private:
+ private:
const uint8_t* data;
size_t len;
- void operator=(const Input&) = delete; // Use Init instead.
+ void operator=(const Input&) = delete; // Use Init instead.
};
-inline bool
-InputsAreEqual(const Input& a, const Input& b)
-{
+inline bool InputsAreEqual(const Input& a, const Input& b) {
return a.GetLength() == b.GetLength() &&
- std::equal(a.UnsafeGetData(), a.UnsafeGetData() + a.GetLength(), b.UnsafeGetData());
+ std::equal(a.UnsafeGetData(), a.UnsafeGetData() + a.GetLength(),
+ b.UnsafeGetData());
}
// An Reader is a cursor/iterator through the contents of an Input, designed to
@@ -144,23 +131,15 @@ InputsAreEqual(const Input& a, const Input& b)
//
// In general, Reader allows for one byte of lookahead and no backtracking.
// However, the Match* functions internally may have more lookahead.
-class Reader final
-{
-public:
- Reader()
- : input(nullptr)
- , end(nullptr)
- {
- }
+class Reader final {
+ public:
+ Reader() : input(nullptr), end(nullptr) {}
explicit Reader(Input aInput)
- : input(aInput.UnsafeGetData())
- , end(aInput.UnsafeGetData() + aInput.GetLength())
- {
- }
+ : input(aInput.UnsafeGetData()),
+ end(aInput.UnsafeGetData() + aInput.GetLength()) {}
- Result Init(Input aInput)
- {
+ Result Init(Input aInput) {
if (this->input) {
return Result::FATAL_ERROR_INVALID_ARGS;
}
@@ -169,13 +148,11 @@ public:
return Success;
}
- bool Peek(uint8_t expectedByte) const
- {
+ bool Peek(uint8_t expectedByte) const {
return input < end && *input == expectedByte;
}
- Result Read(uint8_t& out)
- {
+ Result Read(uint8_t& out) {
Result rv = EnsureLength(1);
if (rv != Success) {
return rv;
@@ -184,8 +161,7 @@ public:
return Success;
}
- Result Read(uint16_t& out)
- {
+ Result Read(uint16_t& out) {
Result rv = EnsureLength(2);
if (rv != Success) {
return rv;
@@ -197,8 +173,7 @@ public:
}
template <Input::size_type N>
- bool MatchRest(const uint8_t (&toMatch)[N])
- {
+ bool MatchRest(const uint8_t (&toMatch)[N]) {
// Normally we use EnsureLength which compares (input + len < end), but
// here we want to be sure that there is nothing following the matched
// bytes
@@ -212,8 +187,7 @@ public:
return true;
}
- bool MatchRest(Input toMatch)
- {
+ bool MatchRest(Input toMatch) {
// Normally we use EnsureLength which compares (input + len < end), but
// here we want to be sure that there is nothing following the matched
// bytes
@@ -228,8 +202,7 @@ public:
return true;
}
- Result Skip(Input::size_type len)
- {
+ Result Skip(Input::size_type len) {
Result rv = EnsureLength(len);
if (rv != Success) {
return rv;
@@ -238,8 +211,7 @@ public:
return Success;
}
- Result Skip(Input::size_type len, Reader& skipped)
- {
+ Result Skip(Input::size_type len, Reader& skipped) {
Result rv = EnsureLength(len);
if (rv != Success) {
return rv;
@@ -252,8 +224,7 @@ public:
return Success;
}
- Result Skip(Input::size_type len, /*out*/ Input& skipped)
- {
+ Result Skip(Input::size_type len, /*out*/ Input& skipped) {
Result rv = EnsureLength(len);
if (rv != Success) {
return rv;
@@ -266,18 +237,13 @@ public:
return Success;
}
- void SkipToEnd()
- {
- input = end;
- }
+ void SkipToEnd() { input = end; }
- Result SkipToEnd(/*out*/ Input& skipped)
- {
+ Result SkipToEnd(/*out*/ Input& skipped) {
return Skip(static_cast<Input::size_type>(end - input), skipped);
}
- Result EnsureLength(Input::size_type len)
- {
+ Result EnsureLength(Input::size_type len) {
if (static_cast<size_t>(end - input) < len) {
return Result::ERROR_BAD_DER;
}
@@ -286,13 +252,13 @@ public:
bool AtEnd() const { return input == end; }
- class Mark final
- {
- public:
- Mark(const Mark&) = default; // Intentionally not explicit.
- private:
+ class Mark final {
+ public:
+ Mark(const Mark&) = default; // Intentionally not explicit.
+ private:
friend class Reader;
- Mark(const Reader& aInput, const uint8_t* aMark) : input(aInput), mark(aMark) { }
+ Mark(const Reader& aInput, const uint8_t* aMark)
+ : input(aInput), mark(aMark) {}
const Reader& input;
const uint8_t* const mark;
void operator=(const Mark&) = delete;
@@ -300,8 +266,7 @@ public:
Mark GetMark() const { return Mark(*this, input); }
- Result GetInput(const Mark& mark, /*out*/ Input& item)
- {
+ Result GetInput(const Mark& mark, /*out*/ Input& item) {
if (&mark.input != this || mark.mark > input) {
return NotReached("invalid mark", Result::FATAL_ERROR_INVALID_ARGS);
}
@@ -309,9 +274,8 @@ public:
static_cast<Input::size_type>(input - mark.mark));
}
-private:
- Result Init(const uint8_t* data, Input::size_type len)
- {
+ private:
+ Result Init(const uint8_t* data, Input::size_type len) {
if (input) {
// already initialized
return Result::FATAL_ERROR_INVALID_ARGS;
@@ -328,9 +292,7 @@ private:
void operator=(const Reader&) = delete;
};
-inline bool
-InputContains(const Input& input, uint8_t toFind)
-{
+inline bool InputContains(const Input& input, uint8_t toFind) {
Reader reader(input);
for (;;) {
uint8_t b;
@@ -342,7 +304,7 @@ InputContains(const Input& input, uint8_t toFind)
}
}
}
+}
+} // namespace mozilla::pkix
-} } // namespace mozilla::pkix
-
-#endif // mozilla_pkix_Input_h
+#endif // mozilla_pkix_Input_h
diff --git a/lib/mozpkix/include/pkix/Result.h b/lib/mozpkix/include/pkix/Result.h
index a4241b84b..29461dc1a 100644
--- a/lib/mozpkix/include/pkix/Result.h
+++ b/lib/mozpkix/include/pkix/Result.h
@@ -27,7 +27,8 @@
#include <cassert>
-namespace mozilla { namespace pkix {
+namespace mozilla {
+namespace pkix {
static const unsigned int FATAL_ERROR_FLAG = 0x800;
@@ -83,132 +84,113 @@ static const unsigned int FATAL_ERROR_FLAG = 0x800;
// The third argument to MOZILLA_PKIX_MAP() is used, along with the first
// argument, for maintaining the mapping of mozilla::pkix error codes to
// NSS/NSPR error codes in pkixnss.cpp.
-#define MOZILLA_PKIX_MAP_LIST \
- MOZILLA_PKIX_MAP(Success, 0, 0) \
- MOZILLA_PKIX_MAP(ERROR_BAD_DER, 1, \
- SEC_ERROR_BAD_DER) \
- MOZILLA_PKIX_MAP(ERROR_CA_CERT_INVALID, 2, \
- SEC_ERROR_CA_CERT_INVALID) \
- MOZILLA_PKIX_MAP(ERROR_BAD_SIGNATURE, 3, \
- SEC_ERROR_BAD_SIGNATURE) \
- MOZILLA_PKIX_MAP(ERROR_CERT_BAD_ACCESS_LOCATION, 4, \
- SEC_ERROR_CERT_BAD_ACCESS_LOCATION) \
- MOZILLA_PKIX_MAP(ERROR_CERT_NOT_IN_NAME_SPACE, 5, \
- SEC_ERROR_CERT_NOT_IN_NAME_SPACE) \
- MOZILLA_PKIX_MAP(ERROR_CERT_SIGNATURE_ALGORITHM_DISABLED, 6, \
- SEC_ERROR_CERT_SIGNATURE_ALGORITHM_DISABLED) \
- MOZILLA_PKIX_MAP(ERROR_CONNECT_REFUSED, 7, \
- PR_CONNECT_REFUSED_ERROR) \
- MOZILLA_PKIX_MAP(ERROR_EXPIRED_CERTIFICATE, 8, \
- SEC_ERROR_EXPIRED_CERTIFICATE) \
- MOZILLA_PKIX_MAP(ERROR_EXTENSION_VALUE_INVALID, 9, \
- SEC_ERROR_EXTENSION_VALUE_INVALID) \
- MOZILLA_PKIX_MAP(ERROR_INADEQUATE_CERT_TYPE, 10, \
- SEC_ERROR_INADEQUATE_CERT_TYPE) \
- MOZILLA_PKIX_MAP(ERROR_INADEQUATE_KEY_USAGE, 11, \
- SEC_ERROR_INADEQUATE_KEY_USAGE) \
- MOZILLA_PKIX_MAP(ERROR_INVALID_ALGORITHM, 12, \
- SEC_ERROR_INVALID_ALGORITHM) \
- MOZILLA_PKIX_MAP(ERROR_INVALID_DER_TIME, 13, \
- SEC_ERROR_INVALID_TIME) \
- MOZILLA_PKIX_MAP(ERROR_KEY_PINNING_FAILURE, 14, \
- MOZILLA_PKIX_ERROR_KEY_PINNING_FAILURE) \
- MOZILLA_PKIX_MAP(ERROR_PATH_LEN_CONSTRAINT_INVALID, 15, \
- SEC_ERROR_PATH_LEN_CONSTRAINT_INVALID) \
- MOZILLA_PKIX_MAP(ERROR_POLICY_VALIDATION_FAILED, 16, \
- SEC_ERROR_POLICY_VALIDATION_FAILED) \
- MOZILLA_PKIX_MAP(ERROR_REVOKED_CERTIFICATE, 17, \
- SEC_ERROR_REVOKED_CERTIFICATE) \
- MOZILLA_PKIX_MAP(ERROR_UNKNOWN_CRITICAL_EXTENSION, 18, \
- SEC_ERROR_UNKNOWN_CRITICAL_EXTENSION) \
- MOZILLA_PKIX_MAP(ERROR_UNKNOWN_ERROR, 19, \
- PR_UNKNOWN_ERROR) \
- MOZILLA_PKIX_MAP(ERROR_UNKNOWN_ISSUER, 20, \
- SEC_ERROR_UNKNOWN_ISSUER) \
- MOZILLA_PKIX_MAP(ERROR_UNTRUSTED_CERT, 21, \
- SEC_ERROR_UNTRUSTED_CERT) \
- MOZILLA_PKIX_MAP(ERROR_UNTRUSTED_ISSUER, 22, \
- SEC_ERROR_UNTRUSTED_ISSUER) \
- MOZILLA_PKIX_MAP(ERROR_OCSP_BAD_SIGNATURE, 23, \
- SEC_ERROR_OCSP_BAD_SIGNATURE) \
- MOZILLA_PKIX_MAP(ERROR_OCSP_INVALID_SIGNING_CERT, 24, \
- SEC_ERROR_OCSP_INVALID_SIGNING_CERT) \
- MOZILLA_PKIX_MAP(ERROR_OCSP_MALFORMED_REQUEST, 25, \
- SEC_ERROR_OCSP_MALFORMED_REQUEST) \
- MOZILLA_PKIX_MAP(ERROR_OCSP_MALFORMED_RESPONSE, 26, \
- SEC_ERROR_OCSP_MALFORMED_RESPONSE) \
- MOZILLA_PKIX_MAP(ERROR_OCSP_OLD_RESPONSE, 27, \
- SEC_ERROR_OCSP_OLD_RESPONSE) \
- MOZILLA_PKIX_MAP(ERROR_OCSP_REQUEST_NEEDS_SIG, 28, \
- SEC_ERROR_OCSP_REQUEST_NEEDS_SIG) \
- MOZILLA_PKIX_MAP(ERROR_OCSP_RESPONDER_CERT_INVALID, 29, \
- SEC_ERROR_OCSP_RESPONDER_CERT_INVALID) \
- MOZILLA_PKIX_MAP(ERROR_OCSP_SERVER_ERROR, 30, \
- SEC_ERROR_OCSP_SERVER_ERROR) \
- MOZILLA_PKIX_MAP(ERROR_OCSP_TRY_SERVER_LATER, 31, \
- SEC_ERROR_OCSP_TRY_SERVER_LATER) \
- MOZILLA_PKIX_MAP(ERROR_OCSP_UNAUTHORIZED_REQUEST, 32, \
- SEC_ERROR_OCSP_UNAUTHORIZED_REQUEST) \
- MOZILLA_PKIX_MAP(ERROR_OCSP_UNKNOWN_RESPONSE_STATUS, 33, \
- SEC_ERROR_OCSP_UNKNOWN_RESPONSE_STATUS) \
- MOZILLA_PKIX_MAP(ERROR_OCSP_UNKNOWN_CERT, 34, \
- SEC_ERROR_OCSP_UNKNOWN_CERT) \
- MOZILLA_PKIX_MAP(ERROR_OCSP_FUTURE_RESPONSE, 35, \
- SEC_ERROR_OCSP_FUTURE_RESPONSE) \
- MOZILLA_PKIX_MAP(ERROR_INVALID_KEY, 36, \
- SEC_ERROR_INVALID_KEY) \
- MOZILLA_PKIX_MAP(ERROR_UNSUPPORTED_KEYALG, 37, \
- SEC_ERROR_UNSUPPORTED_KEYALG) \
- MOZILLA_PKIX_MAP(ERROR_EXPIRED_ISSUER_CERTIFICATE, 38, \
- SEC_ERROR_EXPIRED_ISSUER_CERTIFICATE) \
- MOZILLA_PKIX_MAP(ERROR_CA_CERT_USED_AS_END_ENTITY, 39, \
- MOZILLA_PKIX_ERROR_CA_CERT_USED_AS_END_ENTITY) \
- MOZILLA_PKIX_MAP(ERROR_INADEQUATE_KEY_SIZE, 40, \
- MOZILLA_PKIX_ERROR_INADEQUATE_KEY_SIZE) \
- MOZILLA_PKIX_MAP(ERROR_V1_CERT_USED_AS_CA, 41, \
- MOZILLA_PKIX_ERROR_V1_CERT_USED_AS_CA) \
- MOZILLA_PKIX_MAP(ERROR_BAD_CERT_DOMAIN, 42, \
- SSL_ERROR_BAD_CERT_DOMAIN) \
- MOZILLA_PKIX_MAP(ERROR_NO_RFC822NAME_MATCH, 43, \
- MOZILLA_PKIX_ERROR_NO_RFC822NAME_MATCH) \
- MOZILLA_PKIX_MAP(ERROR_UNSUPPORTED_ELLIPTIC_CURVE, 44, \
- SEC_ERROR_UNSUPPORTED_ELLIPTIC_CURVE) \
- MOZILLA_PKIX_MAP(ERROR_NOT_YET_VALID_CERTIFICATE, 45, \
- MOZILLA_PKIX_ERROR_NOT_YET_VALID_CERTIFICATE) \
- MOZILLA_PKIX_MAP(ERROR_NOT_YET_VALID_ISSUER_CERTIFICATE, 46, \
- MOZILLA_PKIX_ERROR_NOT_YET_VALID_ISSUER_CERTIFICATE) \
- MOZILLA_PKIX_MAP(ERROR_UNSUPPORTED_EC_POINT_FORM, 47, \
- SEC_ERROR_UNSUPPORTED_EC_POINT_FORM) \
- MOZILLA_PKIX_MAP(ERROR_SIGNATURE_ALGORITHM_MISMATCH, 48, \
- MOZILLA_PKIX_ERROR_SIGNATURE_ALGORITHM_MISMATCH) \
- MOZILLA_PKIX_MAP(ERROR_OCSP_RESPONSE_FOR_CERT_MISSING, 49, \
- MOZILLA_PKIX_ERROR_OCSP_RESPONSE_FOR_CERT_MISSING) \
- MOZILLA_PKIX_MAP(ERROR_VALIDITY_TOO_LONG, 50, \
- MOZILLA_PKIX_ERROR_VALIDITY_TOO_LONG) \
- MOZILLA_PKIX_MAP(ERROR_REQUIRED_TLS_FEATURE_MISSING, 51, \
- MOZILLA_PKIX_ERROR_REQUIRED_TLS_FEATURE_MISSING) \
- MOZILLA_PKIX_MAP(ERROR_INVALID_INTEGER_ENCODING, 52, \
- MOZILLA_PKIX_ERROR_INVALID_INTEGER_ENCODING) \
- MOZILLA_PKIX_MAP(ERROR_EMPTY_ISSUER_NAME, 53, \
- MOZILLA_PKIX_ERROR_EMPTY_ISSUER_NAME) \
- MOZILLA_PKIX_MAP(ERROR_ADDITIONAL_POLICY_CONSTRAINT_FAILED, 54, \
- MOZILLA_PKIX_ERROR_ADDITIONAL_POLICY_CONSTRAINT_FAILED) \
- MOZILLA_PKIX_MAP(ERROR_SELF_SIGNED_CERT, 55, \
- MOZILLA_PKIX_ERROR_SELF_SIGNED_CERT) \
- MOZILLA_PKIX_MAP(ERROR_MITM_DETECTED, 56, \
- MOZILLA_PKIX_ERROR_MITM_DETECTED) \
- MOZILLA_PKIX_MAP(FATAL_ERROR_INVALID_ARGS, FATAL_ERROR_FLAG | 1, \
- SEC_ERROR_INVALID_ARGS) \
- MOZILLA_PKIX_MAP(FATAL_ERROR_INVALID_STATE, FATAL_ERROR_FLAG | 2, \
- PR_INVALID_STATE_ERROR) \
- MOZILLA_PKIX_MAP(FATAL_ERROR_LIBRARY_FAILURE, FATAL_ERROR_FLAG | 3, \
- SEC_ERROR_LIBRARY_FAILURE) \
- MOZILLA_PKIX_MAP(FATAL_ERROR_NO_MEMORY, FATAL_ERROR_FLAG | 4, \
- SEC_ERROR_NO_MEMORY) \
- /* nothing here */
+#define MOZILLA_PKIX_MAP_LIST \
+ MOZILLA_PKIX_MAP(Success, 0, 0) \
+ MOZILLA_PKIX_MAP(ERROR_BAD_DER, 1, SEC_ERROR_BAD_DER) \
+ MOZILLA_PKIX_MAP(ERROR_CA_CERT_INVALID, 2, SEC_ERROR_CA_CERT_INVALID) \
+ MOZILLA_PKIX_MAP(ERROR_BAD_SIGNATURE, 3, SEC_ERROR_BAD_SIGNATURE) \
+ MOZILLA_PKIX_MAP(ERROR_CERT_BAD_ACCESS_LOCATION, 4, \
+ SEC_ERROR_CERT_BAD_ACCESS_LOCATION) \
+ MOZILLA_PKIX_MAP(ERROR_CERT_NOT_IN_NAME_SPACE, 5, \
+ SEC_ERROR_CERT_NOT_IN_NAME_SPACE) \
+ MOZILLA_PKIX_MAP(ERROR_CERT_SIGNATURE_ALGORITHM_DISABLED, 6, \
+ SEC_ERROR_CERT_SIGNATURE_ALGORITHM_DISABLED) \
+ MOZILLA_PKIX_MAP(ERROR_CONNECT_REFUSED, 7, PR_CONNECT_REFUSED_ERROR) \
+ MOZILLA_PKIX_MAP(ERROR_EXPIRED_CERTIFICATE, 8, \
+ SEC_ERROR_EXPIRED_CERTIFICATE) \
+ MOZILLA_PKIX_MAP(ERROR_EXTENSION_VALUE_INVALID, 9, \
+ SEC_ERROR_EXTENSION_VALUE_INVALID) \
+ MOZILLA_PKIX_MAP(ERROR_INADEQUATE_CERT_TYPE, 10, \
+ SEC_ERROR_INADEQUATE_CERT_TYPE) \
+ MOZILLA_PKIX_MAP(ERROR_INADEQUATE_KEY_USAGE, 11, \
+ SEC_ERROR_INADEQUATE_KEY_USAGE) \
+ MOZILLA_PKIX_MAP(ERROR_INVALID_ALGORITHM, 12, SEC_ERROR_INVALID_ALGORITHM) \
+ MOZILLA_PKIX_MAP(ERROR_INVALID_DER_TIME, 13, SEC_ERROR_INVALID_TIME) \
+ MOZILLA_PKIX_MAP(ERROR_KEY_PINNING_FAILURE, 14, \
+ MOZILLA_PKIX_ERROR_KEY_PINNING_FAILURE) \
+ MOZILLA_PKIX_MAP(ERROR_PATH_LEN_CONSTRAINT_INVALID, 15, \
+ SEC_ERROR_PATH_LEN_CONSTRAINT_INVALID) \
+ MOZILLA_PKIX_MAP(ERROR_POLICY_VALIDATION_FAILED, 16, \
+ SEC_ERROR_POLICY_VALIDATION_FAILED) \
+ MOZILLA_PKIX_MAP(ERROR_REVOKED_CERTIFICATE, 17, \
+ SEC_ERROR_REVOKED_CERTIFICATE) \
+ MOZILLA_PKIX_MAP(ERROR_UNKNOWN_CRITICAL_EXTENSION, 18, \
+ SEC_ERROR_UNKNOWN_CRITICAL_EXTENSION) \
+ MOZILLA_PKIX_MAP(ERROR_UNKNOWN_ERROR, 19, PR_UNKNOWN_ERROR) \
+ MOZILLA_PKIX_MAP(ERROR_UNKNOWN_ISSUER, 20, SEC_ERROR_UNKNOWN_ISSUER) \
+ MOZILLA_PKIX_MAP(ERROR_UNTRUSTED_CERT, 21, SEC_ERROR_UNTRUSTED_CERT) \
+ MOZILLA_PKIX_MAP(ERROR_UNTRUSTED_ISSUER, 22, SEC_ERROR_UNTRUSTED_ISSUER) \
+ MOZILLA_PKIX_MAP(ERROR_OCSP_BAD_SIGNATURE, 23, SEC_ERROR_OCSP_BAD_SIGNATURE) \
+ MOZILLA_PKIX_MAP(ERROR_OCSP_INVALID_SIGNING_CERT, 24, \
+ SEC_ERROR_OCSP_INVALID_SIGNING_CERT) \
+ MOZILLA_PKIX_MAP(ERROR_OCSP_MALFORMED_REQUEST, 25, \
+ SEC_ERROR_OCSP_MALFORMED_REQUEST) \
+ MOZILLA_PKIX_MAP(ERROR_OCSP_MALFORMED_RESPONSE, 26, \
+ SEC_ERROR_OCSP_MALFORMED_RESPONSE) \
+ MOZILLA_PKIX_MAP(ERROR_OCSP_OLD_RESPONSE, 27, SEC_ERROR_OCSP_OLD_RESPONSE) \
+ MOZILLA_PKIX_MAP(ERROR_OCSP_REQUEST_NEEDS_SIG, 28, \
+ SEC_ERROR_OCSP_REQUEST_NEEDS_SIG) \
+ MOZILLA_PKIX_MAP(ERROR_OCSP_RESPONDER_CERT_INVALID, 29, \
+ SEC_ERROR_OCSP_RESPONDER_CERT_INVALID) \
+ MOZILLA_PKIX_MAP(ERROR_OCSP_SERVER_ERROR, 30, SEC_ERROR_OCSP_SERVER_ERROR) \
+ MOZILLA_PKIX_MAP(ERROR_OCSP_TRY_SERVER_LATER, 31, \
+ SEC_ERROR_OCSP_TRY_SERVER_LATER) \
+ MOZILLA_PKIX_MAP(ERROR_OCSP_UNAUTHORIZED_REQUEST, 32, \
+ SEC_ERROR_OCSP_UNAUTHORIZED_REQUEST) \
+ MOZILLA_PKIX_MAP(ERROR_OCSP_UNKNOWN_RESPONSE_STATUS, 33, \
+ SEC_ERROR_OCSP_UNKNOWN_RESPONSE_STATUS) \
+ MOZILLA_PKIX_MAP(ERROR_OCSP_UNKNOWN_CERT, 34, SEC_ERROR_OCSP_UNKNOWN_CERT) \
+ MOZILLA_PKIX_MAP(ERROR_OCSP_FUTURE_RESPONSE, 35, \
+ SEC_ERROR_OCSP_FUTURE_RESPONSE) \
+ MOZILLA_PKIX_MAP(ERROR_INVALID_KEY, 36, SEC_ERROR_INVALID_KEY) \
+ MOZILLA_PKIX_MAP(ERROR_UNSUPPORTED_KEYALG, 37, SEC_ERROR_UNSUPPORTED_KEYALG) \
+ MOZILLA_PKIX_MAP(ERROR_EXPIRED_ISSUER_CERTIFICATE, 38, \
+ SEC_ERROR_EXPIRED_ISSUER_CERTIFICATE) \
+ MOZILLA_PKIX_MAP(ERROR_CA_CERT_USED_AS_END_ENTITY, 39, \
+ MOZILLA_PKIX_ERROR_CA_CERT_USED_AS_END_ENTITY) \
+ MOZILLA_PKIX_MAP(ERROR_INADEQUATE_KEY_SIZE, 40, \
+ MOZILLA_PKIX_ERROR_INADEQUATE_KEY_SIZE) \
+ MOZILLA_PKIX_MAP(ERROR_V1_CERT_USED_AS_CA, 41, \
+ MOZILLA_PKIX_ERROR_V1_CERT_USED_AS_CA) \
+ MOZILLA_PKIX_MAP(ERROR_BAD_CERT_DOMAIN, 42, SSL_ERROR_BAD_CERT_DOMAIN) \
+ MOZILLA_PKIX_MAP(ERROR_NO_RFC822NAME_MATCH, 43, \
+ MOZILLA_PKIX_ERROR_NO_RFC822NAME_MATCH) \
+ MOZILLA_PKIX_MAP(ERROR_UNSUPPORTED_ELLIPTIC_CURVE, 44, \
+ SEC_ERROR_UNSUPPORTED_ELLIPTIC_CURVE) \
+ MOZILLA_PKIX_MAP(ERROR_NOT_YET_VALID_CERTIFICATE, 45, \
+ MOZILLA_PKIX_ERROR_NOT_YET_VALID_CERTIFICATE) \
+ MOZILLA_PKIX_MAP(ERROR_NOT_YET_VALID_ISSUER_CERTIFICATE, 46, \
+ MOZILLA_PKIX_ERROR_NOT_YET_VALID_ISSUER_CERTIFICATE) \
+ MOZILLA_PKIX_MAP(ERROR_UNSUPPORTED_EC_POINT_FORM, 47, \
+ SEC_ERROR_UNSUPPORTED_EC_POINT_FORM) \
+ MOZILLA_PKIX_MAP(ERROR_SIGNATURE_ALGORITHM_MISMATCH, 48, \
+ MOZILLA_PKIX_ERROR_SIGNATURE_ALGORITHM_MISMATCH) \
+ MOZILLA_PKIX_MAP(ERROR_OCSP_RESPONSE_FOR_CERT_MISSING, 49, \
+ MOZILLA_PKIX_ERROR_OCSP_RESPONSE_FOR_CERT_MISSING) \
+ MOZILLA_PKIX_MAP(ERROR_VALIDITY_TOO_LONG, 50, \
+ MOZILLA_PKIX_ERROR_VALIDITY_TOO_LONG) \
+ MOZILLA_PKIX_MAP(ERROR_REQUIRED_TLS_FEATURE_MISSING, 51, \
+ MOZILLA_PKIX_ERROR_REQUIRED_TLS_FEATURE_MISSING) \
+ MOZILLA_PKIX_MAP(ERROR_INVALID_INTEGER_ENCODING, 52, \
+ MOZILLA_PKIX_ERROR_INVALID_INTEGER_ENCODING) \
+ MOZILLA_PKIX_MAP(ERROR_EMPTY_ISSUER_NAME, 53, \
+ MOZILLA_PKIX_ERROR_EMPTY_ISSUER_NAME) \
+ MOZILLA_PKIX_MAP(ERROR_ADDITIONAL_POLICY_CONSTRAINT_FAILED, 54, \
+ MOZILLA_PKIX_ERROR_ADDITIONAL_POLICY_CONSTRAINT_FAILED) \
+ MOZILLA_PKIX_MAP(ERROR_SELF_SIGNED_CERT, 55, \
+ MOZILLA_PKIX_ERROR_SELF_SIGNED_CERT) \
+ MOZILLA_PKIX_MAP(ERROR_MITM_DETECTED, 56, MOZILLA_PKIX_ERROR_MITM_DETECTED) \
+ MOZILLA_PKIX_MAP(FATAL_ERROR_INVALID_ARGS, FATAL_ERROR_FLAG | 1, \
+ SEC_ERROR_INVALID_ARGS) \
+ MOZILLA_PKIX_MAP(FATAL_ERROR_INVALID_STATE, FATAL_ERROR_FLAG | 2, \
+ PR_INVALID_STATE_ERROR) \
+ MOZILLA_PKIX_MAP(FATAL_ERROR_LIBRARY_FAILURE, FATAL_ERROR_FLAG | 3, \
+ SEC_ERROR_LIBRARY_FAILURE) \
+ MOZILLA_PKIX_MAP(FATAL_ERROR_NO_MEMORY, FATAL_ERROR_FLAG | 4, \
+ SEC_ERROR_NO_MEMORY) \
+/* nothing here */
-enum class Result
-{
+enum class Result {
#define MOZILLA_PKIX_MAP(name, value, nss_name) name = value,
MOZILLA_PKIX_MAP_LIST
#undef MOZILLA_PKIX_MAP
@@ -223,19 +205,15 @@ const char* MapResultToName(Result result);
// results in less line wrapping.
static const Result Success = Result::Success;
-inline bool
-IsFatalError(Result rv)
-{
+inline bool IsFatalError(Result rv) {
return (static_cast<unsigned int>(rv) & FATAL_ERROR_FLAG) != 0;
}
-inline Result
-NotReached(const char* /*explanation*/, Result result)
-{
+inline Result NotReached(const char* /*explanation*/, Result result) {
assert(false);
return result;
}
+}
+} // namespace mozilla::pkix
-} } // namespace mozilla::pkix
-
-#endif // mozilla_pkix_Result_h
+#endif // mozilla_pkix_Result_h
diff --git a/lib/mozpkix/include/pkix/Time.h b/lib/mozpkix/include/pkix/Time.h
index d3f7378ad..8aea5479b 100644
--- a/lib/mozpkix/include/pkix/Time.h
+++ b/lib/mozpkix/include/pkix/Time.h
@@ -25,22 +25,22 @@
#ifndef mozilla_pkix_Time_h
#define mozilla_pkix_Time_h
+#include <stdint.h>
#include <ctime>
#include <limits>
-#include <stdint.h>
#include "mozpkix/Result.h"
-namespace mozilla { namespace pkix {
+namespace mozilla {
+namespace pkix {
// Time with a range from the first second of year 0 (AD) through at least the
// last second of year 9999, which is the range of legal times in X.509 and
// OCSP. This type has second-level precision. The time zone is always UTC.
//
// Pass by value, not by reference.
-class Time final
-{
-public:
+class Time final {
+ public:
// Construct an uninitialized instance.
//
// This will fail to compile because there is no default constructor:
@@ -49,52 +49,44 @@ public:
// This will succeed, leaving the time uninitialized:
// Time x(Time::uninitialized);
enum Uninitialized { uninitialized };
- explicit Time(Uninitialized) { }
+ explicit Time(Uninitialized) {}
- bool operator==(const Time& other) const
- {
+ bool operator==(const Time& other) const {
return elapsedSecondsAD == other.elapsedSecondsAD;
}
- bool operator>(const Time& other) const
- {
+ bool operator>(const Time& other) const {
return elapsedSecondsAD > other.elapsedSecondsAD;
}
- bool operator>=(const Time& other) const
- {
+ bool operator>=(const Time& other) const {
return elapsedSecondsAD >= other.elapsedSecondsAD;
}
- bool operator<(const Time& other) const
- {
+ bool operator<(const Time& other) const {
return elapsedSecondsAD < other.elapsedSecondsAD;
}
- bool operator<=(const Time& other) const
- {
+ bool operator<=(const Time& other) const {
return elapsedSecondsAD <= other.elapsedSecondsAD;
}
- Result AddSeconds(uint64_t seconds)
- {
- if (std::numeric_limits<uint64_t>::max() - elapsedSecondsAD
- < seconds) {
- return Result::FATAL_ERROR_INVALID_ARGS; // integer overflow
+ Result AddSeconds(uint64_t seconds) {
+ if (std::numeric_limits<uint64_t>::max() - elapsedSecondsAD < seconds) {
+ return Result::FATAL_ERROR_INVALID_ARGS; // integer overflow
}
elapsedSecondsAD += seconds;
return Success;
}
- Result SubtractSeconds(uint64_t seconds)
- {
+ Result SubtractSeconds(uint64_t seconds) {
if (seconds > elapsedSecondsAD) {
- return Result::FATAL_ERROR_INVALID_ARGS; // integer overflow
+ return Result::FATAL_ERROR_INVALID_ARGS; // integer overflow
}
elapsedSecondsAD -= seconds;
return Success;
}
- static const uint64_t ONE_DAY_IN_SECONDS
- = UINT64_C(24) * UINT64_C(60) * UINT64_C(60);
+ static const uint64_t ONE_DAY_IN_SECONDS =
+ UINT64_C(24) * UINT64_C(60) * UINT64_C(60);
-private:
+ private:
// This constructor is hidden to prevent accidents like this:
//
// Time foo(time_t t)
@@ -103,17 +95,14 @@ private:
// return Time(t);
// }
explicit Time(uint64_t aElapsedSecondsAD)
- : elapsedSecondsAD(aElapsedSecondsAD)
- {
- }
+ : elapsedSecondsAD(aElapsedSecondsAD) {}
friend Time TimeFromElapsedSecondsAD(uint64_t);
friend class Duration;
uint64_t elapsedSecondsAD;
};
-inline Time TimeFromElapsedSecondsAD(uint64_t aElapsedSecondsAD)
-{
+inline Time TimeFromElapsedSecondsAD(uint64_t aElapsedSecondsAD) {
return Time(aElapsedSecondsAD);
}
@@ -122,34 +111,27 @@ Time Now();
// Note the epoch is the unix epoch (ie 00:00:00 UTC, 1 January 1970)
Time TimeFromEpochInSeconds(uint64_t secondsSinceEpoch);
-class Duration final
-{
-public:
+class Duration final {
+ public:
Duration(Time timeA, Time timeB)
- : durationInSeconds(timeA < timeB
- ? timeB.elapsedSecondsAD - timeA.elapsedSecondsAD
- : timeA.elapsedSecondsAD - timeB.elapsedSecondsAD)
- {
- }
+ : durationInSeconds(
+ timeA < timeB ? timeB.elapsedSecondsAD - timeA.elapsedSecondsAD
+ : timeA.elapsedSecondsAD - timeB.elapsedSecondsAD) {}
explicit Duration(uint64_t aDurationInSeconds)
- : durationInSeconds(aDurationInSeconds)
- {
- }
+ : durationInSeconds(aDurationInSeconds) {}
- bool operator>(const Duration& other) const
- {
+ bool operator>(const Duration& other) const {
return durationInSeconds > other.durationInSeconds;
}
- bool operator<(const Duration& other) const
- {
+ bool operator<(const Duration& other) const {
return durationInSeconds < other.durationInSeconds;
}
-private:
+ private:
uint64_t durationInSeconds;
};
+}
+} // namespace mozilla::pkix
-} } // namespace mozilla::pkix
-
-#endif // mozilla_pkix_Time_h
+#endif // mozilla_pkix_Time_h
diff --git a/lib/mozpkix/include/pkix/pkix.h b/lib/mozpkix/include/pkix/pkix.h
index 42ba26b93..1cd6548e4 100644
--- a/lib/mozpkix/include/pkix/pkix.h
+++ b/lib/mozpkix/include/pkix/pkix.h
@@ -27,7 +27,8 @@
#include "mozpkix/pkixtypes.h"
-namespace mozilla { namespace pkix {
+namespace mozilla {
+namespace pkix {
// ----------------------------------------------------------------------------
// LIMITED SUPPORT FOR CERTIFICATE POLICIES
@@ -103,8 +104,8 @@ namespace mozilla { namespace pkix {
// requiredPolicy:
// This is the policy to apply; typically included in EV certificates.
// If there is no policy, pass in CertPolicyId::anyPolicy.
-Result BuildCertChain(TrustDomain& trustDomain, Input cert,
- Time time, EndEntityOrCA endEntityOrCA,
+Result BuildCertChain(TrustDomain& trustDomain, Input cert, Time time,
+ EndEntityOrCA endEntityOrCA,
KeyUsage requiredKeyUsageIfPresent,
KeyPurposeId requiredEKUIfPresent,
const CertPolicyId& requiredPolicy,
@@ -122,8 +123,7 @@ Result CheckCertHostname(Input cert, Input hostname,
// Construct an RFC-6960-encoded OCSP request, ready for submission to a
// responder, for the provided CertID. The request has no extensions.
static const size_t OCSP_REQUEST_MAX_LENGTH = 127;
-Result CreateEncodedOCSPRequest(TrustDomain& trustDomain,
- const CertID& certID,
+Result CreateEncodedOCSPRequest(TrustDomain& trustDomain, const CertID& certID,
/*out*/ uint8_t (&out)[OCSP_REQUEST_MAX_LENGTH],
/*out*/ size_t& outLen);
@@ -140,13 +140,12 @@ Result CreateEncodedOCSPRequest(TrustDomain& trustDomain,
// which the encoded response is considered trustworthy (that is, as long as
// the given time at which to validate is less than or equal to validThrough,
// the response will be considered trustworthy).
-Result VerifyEncodedOCSPResponse(TrustDomain& trustDomain,
- const CertID& certID, Time time,
- uint16_t maxLifetimeInDays,
- Input encodedResponse,
- /* out */ bool& expired,
- /* optional out */ Time* thisUpdate = nullptr,
- /* optional out */ Time* validThrough = nullptr);
+Result VerifyEncodedOCSPResponse(
+ TrustDomain& trustDomain, const CertID& certID, Time time,
+ uint16_t maxLifetimeInDays, Input encodedResponse,
+ /* out */ bool& expired,
+ /* optional out */ Time* thisUpdate = nullptr,
+ /* optional out */ Time* validThrough = nullptr);
// Check that the TLSFeature extensions in a given end-entity cert (which is
// assumed to have been already validated with BuildCertChain) are satisfied.
@@ -155,7 +154,7 @@ Result VerifyEncodedOCSPResponse(TrustDomain& trustDomain,
// requirement for another value. Empty extensions are also rejected.
Result CheckTLSFeaturesAreSatisfied(Input& cert,
const Input* stapledOCSPResponse);
+}
+} // namespace mozilla::pkix
-} } // namespace mozilla::pkix
-
-#endif // mozilla_pkix_pkix_h
+#endif // mozilla_pkix_pkix_h
diff --git a/lib/mozpkix/include/pkix/pkixcheck.h b/lib/mozpkix/include/pkix/pkixcheck.h
index 5b47c7cda..e04780e57 100644
--- a/lib/mozpkix/include/pkix/pkixcheck.h
+++ b/lib/mozpkix/include/pkix/pkixcheck.h
@@ -27,19 +27,18 @@
#include "mozpkix/pkixtypes.h"
-namespace mozilla { namespace pkix {
+namespace mozilla {
+namespace pkix {
class BackCert;
-Result CheckIssuerIndependentProperties(
- TrustDomain& trustDomain,
- const BackCert& cert,
- Time time,
- KeyUsage requiredKeyUsageIfPresent,
- KeyPurposeId requiredEKUIfPresent,
- const CertPolicyId& requiredPolicy,
- unsigned int subCACount,
- /*out*/ TrustLevel& trustLevel);
+Result CheckIssuerIndependentProperties(TrustDomain& trustDomain,
+ const BackCert& cert, Time time,
+ KeyUsage requiredKeyUsageIfPresent,
+ KeyPurposeId requiredEKUIfPresent,
+ const CertPolicyId& requiredPolicy,
+ unsigned int subCACount,
+ /*out*/ TrustLevel& trustLevel);
Result CheckNameConstraints(Input encodedNameConstraints,
const BackCert& firstChild,
@@ -60,7 +59,7 @@ Result CheckValidity(Time time, Time notBefore, Time notAfter);
// Check that a subject has TLS Feature (rfc7633) requirements that match its
// potential issuer
Result CheckTLSFeatures(const BackCert& subject, BackCert& potentialIssuer);
+}
+} // namespace mozilla::pkix
-} } // namespace mozilla::pkix
-
-#endif // mozilla_pkix_pkixcheck_h
+#endif // mozilla_pkix_pkixcheck_h
diff --git a/lib/mozpkix/include/pkix/pkixder.h b/lib/mozpkix/include/pkix/pkixder.h
index 0c9e8670a..3aae0ecf6 100644
--- a/lib/mozpkix/include/pkix/pkixder.h
+++ b/lib/mozpkix/include/pkix/pkixder.h
@@ -40,23 +40,20 @@
#include "mozpkix/Input.h"
#include "mozpkix/pkixtypes.h"
-namespace mozilla { namespace pkix { namespace der {
-
-enum Class : uint8_t
-{
- UNIVERSAL = 0 << 6,
-// APPLICATION = 1 << 6, // unused
- CONTEXT_SPECIFIC = 2 << 6,
-// PRIVATE = 3 << 6 // unused
+namespace mozilla {
+namespace pkix {
+namespace der {
+
+enum Class : uint8_t {
+ UNIVERSAL = 0 << 6,
+ // APPLICATION = 1 << 6, // unused
+ CONTEXT_SPECIFIC = 2 << 6,
+ // PRIVATE = 3 << 6 // unused
};
-enum Constructed
-{
- CONSTRUCTED = 1 << 5
-};
+enum Constructed { CONSTRUCTED = 1 << 5 };
-enum Tag : uint8_t
-{
+enum Tag : uint8_t {
BOOLEAN = UNIVERSAL | 0x01,
INTEGER = UNIVERSAL | 0x02,
BIT_STRING = UNIVERSAL | 0x03,
@@ -65,8 +62,8 @@ enum Tag : uint8_t
OIDTag = UNIVERSAL | 0x06,
ENUMERATED = UNIVERSAL | 0x0a,
UTF8String = UNIVERSAL | 0x0c,
- SEQUENCE = UNIVERSAL | CONSTRUCTED | 0x10, // 0x30
- SET = UNIVERSAL | CONSTRUCTED | 0x11, // 0x31
+ SEQUENCE = UNIVERSAL | CONSTRUCTED | 0x10, // 0x30
+ SET = UNIVERSAL | CONSTRUCTED | 0x11, // 0x31
PrintableString = UNIVERSAL | 0x13,
TeletexString = UNIVERSAL | 0x14,
IA5String = UNIVERSAL | 0x16,
@@ -80,9 +77,8 @@ Result ReadTagAndGetValue(Reader& input, /*out*/ uint8_t& tag,
/*out*/ Input& value);
Result End(Reader& input);
-inline Result
-ExpectTagAndGetValue(Reader& input, uint8_t tag, /*out*/ Input& value)
-{
+inline Result ExpectTagAndGetValue(Reader& input, uint8_t tag,
+ /*out*/ Input& value) {
uint8_t actualTag;
Result rv = ReadTagAndGetValue(input, actualTag, value);
if (rv != Success) {
@@ -94,9 +90,8 @@ ExpectTagAndGetValue(Reader& input, uint8_t tag, /*out*/ Input& value)
return Success;
}
-inline Result
-ExpectTagAndGetValue(Reader& input, uint8_t tag, /*out*/ Reader& value)
-{
+inline Result ExpectTagAndGetValue(Reader& input, uint8_t tag,
+ /*out*/ Reader& value) {
Input valueInput;
Result rv = ExpectTagAndGetValue(input, tag, valueInput);
if (rv != Success) {
@@ -105,9 +100,7 @@ ExpectTagAndGetValue(Reader& input, uint8_t tag, /*out*/ Reader& value)
return value.Init(valueInput);
}
-inline Result
-ExpectTagAndEmptyValue(Reader& input, uint8_t tag)
-{
+inline Result ExpectTagAndEmptyValue(Reader& input, uint8_t tag) {
Reader value;
Result rv = ExpectTagAndGetValue(input, tag, value);
if (rv != Success) {
@@ -116,18 +109,15 @@ ExpectTagAndEmptyValue(Reader& input, uint8_t tag)
return End(value);
}
-inline Result
-ExpectTagAndSkipValue(Reader& input, uint8_t tag)
-{
+inline Result ExpectTagAndSkipValue(Reader& input, uint8_t tag) {
Input ignoredValue;
return ExpectTagAndGetValue(input, tag, ignoredValue);
}
// Like ExpectTagAndGetValue, except the output Input will contain the
// encoded tag and length along with the value.
-inline Result
-ExpectTagAndGetTLV(Reader& input, uint8_t tag, /*out*/ Input& tlv)
-{
+inline Result ExpectTagAndGetTLV(Reader& input, uint8_t tag,
+ /*out*/ Input& tlv) {
Reader::Mark mark(input.GetMark());
Result rv = ExpectTagAndSkipValue(input, tag);
if (rv != Success) {
@@ -136,9 +126,7 @@ ExpectTagAndGetTLV(Reader& input, uint8_t tag, /*out*/ Input& tlv)
return input.GetInput(mark, tlv);
}
-inline Result
-End(Reader& input)
-{
+inline Result End(Reader& input) {
if (!input.AtEnd()) {
return Result::ERROR_BAD_DER;
}
@@ -147,9 +135,7 @@ End(Reader& input)
}
template <typename Decoder>
-inline Result
-Nested(Reader& input, uint8_t tag, Decoder decoder)
-{
+inline Result Nested(Reader& input, uint8_t tag, Decoder decoder) {
Reader nested;
Result rv = ExpectTagAndGetValue(input, tag, nested);
if (rv != Success) {
@@ -163,9 +149,8 @@ Nested(Reader& input, uint8_t tag, Decoder decoder)
}
template <typename Decoder>
-inline Result
-Nested(Reader& input, uint8_t outerTag, uint8_t innerTag, Decoder decoder)
-{
+inline Result Nested(Reader& input, uint8_t outerTag, uint8_t innerTag,
+ Decoder decoder) {
Reader nestedInput;
Result rv = ExpectTagAndGetValue(input, outerTag, nestedInput);
if (rv != Success) {
@@ -206,10 +191,8 @@ Nested(Reader& input, uint8_t outerTag, uint8_t innerTag, Decoder decoder)
// foos.
//
template <typename Decoder>
-inline Result
-NestedOf(Reader& input, uint8_t outerTag, uint8_t innerTag,
- EmptyAllowed mayBeEmpty, Decoder decoder)
-{
+inline Result NestedOf(Reader& input, uint8_t outerTag, uint8_t innerTag,
+ EmptyAllowed mayBeEmpty, Decoder decoder) {
Reader inner;
Result rv = ExpectTagAndGetValue(input, outerTag, inner);
if (rv != Success) {
@@ -237,10 +220,8 @@ NestedOf(Reader& input, uint8_t outerTag, uint8_t innerTag,
// DER-encoded data wrapped in a SEQUENCE (or similar) with nothing after it.
// This function reduces the boilerplate necessary for stripping the outermost
// SEQUENCE (or similar) and ensuring that nothing follows it.
-inline Result
-ExpectTagAndGetValueAtEnd(Reader& outer, uint8_t expectedTag,
- /*out*/ Reader& inner)
-{
+inline Result ExpectTagAndGetValueAtEnd(Reader& outer, uint8_t expectedTag,
+ /*out*/ Reader& inner) {
Result rv = der::ExpectTagAndGetValue(outer, expectedTag, inner);
if (rv != Success) {
return rv;
@@ -249,10 +230,8 @@ ExpectTagAndGetValueAtEnd(Reader& outer, uint8_t expectedTag,
}
// Similar to the above, but takes an Input instead of a Reader&.
-inline Result
-ExpectTagAndGetValueAtEnd(Input outer, uint8_t expectedTag,
- /*out*/ Reader& inner)
-{
+inline Result ExpectTagAndGetValueAtEnd(Input outer, uint8_t expectedTag,
+ /*out*/ Reader& inner) {
Reader outerReader(outer);
return ExpectTagAndGetValueAtEnd(outerReader, expectedTag, inner);
}
@@ -261,30 +240,26 @@ ExpectTagAndGetValueAtEnd(Input outer, uint8_t expectedTag,
namespace internal {
-enum class IntegralValueRestriction
-{
+enum class IntegralValueRestriction {
NoRestriction,
MustBePositive,
MustBe0To127,
};
-Result IntegralBytes(Reader& input, uint8_t tag,
- IntegralValueRestriction valueRestriction,
- /*out*/ Input& value,
+Result IntegralBytes(
+ Reader& input, uint8_t tag, IntegralValueRestriction valueRestriction,
+ /*out*/ Input& value,
/*optional out*/ Input::size_type* significantBytes = nullptr);
// This parser will only parse values between 0..127. If this range is
// increased then callers will need to be changed.
Result IntegralValue(Reader& input, uint8_t tag, /*out*/ uint8_t& value);
-} // namespace internal
+} // namespace internal
-Result
-BitStringWithNoUnusedBits(Reader& input, /*out*/ Input& value);
+Result BitStringWithNoUnusedBits(Reader& input, /*out*/ Input& value);
-inline Result
-Boolean(Reader& input, /*out*/ bool& value)
-{
+inline Result Boolean(Reader& input, /*out*/ bool& value) {
Reader valueReader;
Result rv = ExpectTagAndGetValue(input, BOOLEAN, valueReader);
if (rv != Success) {
@@ -301,8 +276,12 @@ Boolean(Reader& input, /*out*/ bool& value)
return rv;
}
switch (intValue) {
- case 0: value = false; return Success;
- case 0xFF: value = true; return Success;
+ case 0:
+ value = false;
+ return Success;
+ case 0xFF:
+ value = true;
+ return Success;
default:
return Result::ERROR_BAD_DER;
}
@@ -314,9 +293,7 @@ Boolean(Reader& input, /*out*/ bool& value)
// default value." However, it appears to be common that other libraries
// incorrectly include the value of a BOOLEAN even when it's equal to the
// default value, so we allow invalid explicit encodings here.
-inline Result
-OptionalBoolean(Reader& input, /*out*/ bool& value)
-{
+inline Result OptionalBoolean(Reader& input, /*out*/ bool& value) {
value = false;
if (input.Peek(BOOLEAN)) {
Result rv = Boolean(input, value);
@@ -329,9 +306,7 @@ OptionalBoolean(Reader& input, /*out*/ bool& value)
// This parser will only parse values between 0..127. If this range is
// increased then callers will need to be changed.
-inline Result
-Enumerated(Reader& input, uint8_t& value)
-{
+inline Result Enumerated(Reader& input, uint8_t& value) {
return internal::IntegralValue(input, ENUMERATED | 0, value);
}
@@ -345,23 +320,19 @@ namespace internal {
// time formats that start at 1970.
Result TimeChoice(Reader& input, uint8_t tag, /*out*/ Time& time);
-} // namespace internal
+} // namespace internal
// Only times from 1970-01-01-00:00:00 onward are accepted, in order to
// eliminate the chance for complications in converting times to traditional
// time formats that start at 1970.
-inline Result
-GeneralizedTime(Reader& input, /*out*/ Time& time)
-{
+inline Result GeneralizedTime(Reader& input, /*out*/ Time& time) {
return internal::TimeChoice(input, GENERALIZED_TIME, time);
}
// Only times from 1970-01-01-00:00:00 onward are accepted, in order to
// eliminate the chance for complications in converting times to traditional
// time formats that start at 1970.
-inline Result
-TimeChoice(Reader& input, /*out*/ Time& time)
-{
+inline Result TimeChoice(Reader& input, /*out*/ Time& time) {
uint8_t expectedTag = input.Peek(UTCTime) ? UTCTime : GENERALIZED_TIME;
return internal::TimeChoice(input, expectedTag, time);
}
@@ -370,20 +341,17 @@ TimeChoice(Reader& input, /*out*/ Time& time)
// zero are rejected. If significantBytes is not null, then it will be set to
// the number of significant bytes in the value (the length of the value, less
// the length of any leading padding), which is useful for key size checks.
-inline Result
-PositiveInteger(Reader& input, /*out*/ Input& value,
- /*optional out*/ Input::size_type* significantBytes = nullptr)
-{
+inline Result PositiveInteger(
+ Reader& input, /*out*/ Input& value,
+ /*optional out*/ Input::size_type* significantBytes = nullptr) {
return internal::IntegralBytes(
- input, INTEGER, internal::IntegralValueRestriction::MustBePositive,
- value, significantBytes);
+ input, INTEGER, internal::IntegralValueRestriction::MustBePositive, value,
+ significantBytes);
}
// This parser will only parse values between 0..127. If this range is
// increased then callers will need to be changed.
-inline Result
-Integer(Reader& input, /*out*/ uint8_t& value)
-{
+inline Result Integer(Reader& input, /*out*/ uint8_t& value) {
return internal::IntegralValue(input, INTEGER, value);
}
@@ -391,9 +359,8 @@ Integer(Reader& input, /*out*/ uint8_t& value)
// increased then callers will need to be changed. The default value must be
// -1; defaultValue is only a parameter to make it clear in the calling code
// what the default value is.
-inline Result
-OptionalInteger(Reader& input, long defaultValue, /*out*/ long& value)
-{
+inline Result OptionalInteger(Reader& input, long defaultValue,
+ /*out*/ long& value) {
// If we need to support a different default value in the future, we need to
// test that parsedValue != defaultValue.
if (defaultValue != -1) {
@@ -414,16 +381,12 @@ OptionalInteger(Reader& input, long defaultValue, /*out*/ long& value)
return Success;
}
-inline Result
-Null(Reader& input)
-{
+inline Result Null(Reader& input) {
return ExpectTagAndEmptyValue(input, NULLTag);
}
template <uint8_t Len>
-Result
-OID(Reader& input, const uint8_t (&expectedOid)[Len])
-{
+Result OID(Reader& input, const uint8_t (&expectedOid)[Len]) {
Reader value;
Result rv = ExpectTagAndGetValue(input, OIDTag, value);
if (rv != Success) {
@@ -437,9 +400,7 @@ OID(Reader& input, const uint8_t (&expectedOid)[Len])
// PKI-specific types
-inline Result
-CertificateSerialNumber(Reader& input, /*out*/ Input& value)
-{
+inline Result CertificateSerialNumber(Reader& input, /*out*/ Input& value) {
// http://tools.ietf.org/html/rfc5280#section-4.1.2.2:
//
// * "The serial number MUST be a positive integer assigned by the CA to
@@ -451,8 +412,7 @@ CertificateSerialNumber(Reader& input, /*out*/ Input& value)
// that are negative or zero. Certificate users SHOULD be prepared to
// gracefully handle such certificates."
return internal::IntegralBytes(
- input, INTEGER, internal::IntegralValueRestriction::NoRestriction,
- value);
+ input, INTEGER, internal::IntegralValueRestriction::NoRestriction, value);
}
// x.509 and OCSP both use this same version numbering scheme, though OCSP
@@ -466,10 +426,8 @@ enum class Version { v1 = 0, v2 = 1, v3 = 2, v4 = 3, Uninitialized = 255 };
Result OptionalVersion(Reader& input, /*out*/ Version& version);
template <typename ExtensionHandler>
-inline Result
-OptionalExtensions(Reader& input, uint8_t tag,
- ExtensionHandler extensionHandler)
-{
+inline Result OptionalExtensions(Reader& input, uint8_t tag,
+ ExtensionHandler extensionHandler) {
if (!input.Peek(tag)) {
return Success;
}
@@ -480,59 +438,54 @@ OptionalExtensions(Reader& input, uint8_t tag,
// TODO(bug 997994): According to the specification, there should never be
// an empty sequence of extensions but we've found OCSP responses that have
// that (see bug 991898).
- return NestedOf(tagged, SEQUENCE, SEQUENCE, EmptyAllowed::Yes,
- [extensionHandler](Reader& extension) -> Result {
- // Extension ::= SEQUENCE {
- // extnID OBJECT IDENTIFIER,
- // critical BOOLEAN DEFAULT FALSE,
- // extnValue OCTET STRING
- // }
- Reader extnID;
- Result rv = ExpectTagAndGetValue(extension, OIDTag, extnID);
- if (rv != Success) {
- return rv;
- }
- bool critical;
- rv = OptionalBoolean(extension, critical);
- if (rv != Success) {
- return rv;
- }
- Input extnValue;
- rv = ExpectTagAndGetValue(extension, OCTET_STRING, extnValue);
- if (rv != Success) {
- return rv;
- }
- bool understood = false;
- rv = extensionHandler(extnID, extnValue, critical, understood);
- if (rv != Success) {
- return rv;
- }
- if (critical && !understood) {
- return Result::ERROR_UNKNOWN_CRITICAL_EXTENSION;
- }
- return Success;
- });
+ return NestedOf(
+ tagged, SEQUENCE, SEQUENCE, EmptyAllowed::Yes,
+ [extensionHandler](Reader& extension) -> Result {
+ // Extension ::= SEQUENCE {
+ // extnID OBJECT IDENTIFIER,
+ // critical BOOLEAN DEFAULT FALSE,
+ // extnValue OCTET STRING
+ // }
+ Reader extnID;
+ Result rv = ExpectTagAndGetValue(extension, OIDTag, extnID);
+ if (rv != Success) {
+ return rv;
+ }
+ bool critical;
+ rv = OptionalBoolean(extension, critical);
+ if (rv != Success) {
+ return rv;
+ }
+ Input extnValue;
+ rv = ExpectTagAndGetValue(extension, OCTET_STRING, extnValue);
+ if (rv != Success) {
+ return rv;
+ }
+ bool understood = false;
+ rv = extensionHandler(extnID, extnValue, critical, understood);
+ if (rv != Success) {
+ return rv;
+ }
+ if (critical && !understood) {
+ return Result::ERROR_UNKNOWN_CRITICAL_EXTENSION;
+ }
+ return Success;
+ });
});
}
Result DigestAlgorithmIdentifier(Reader& input,
/*out*/ DigestAlgorithm& algorithm);
-enum class PublicKeyAlgorithm
-{
- RSA_PKCS1,
- ECDSA,
- Uninitialized
-};
+enum class PublicKeyAlgorithm { RSA_PKCS1, ECDSA, Uninitialized };
Result SignatureAlgorithmIdentifierValue(
- Reader& input,
- /*out*/ PublicKeyAlgorithm& publicKeyAlgorithm,
- /*out*/ DigestAlgorithm& digestAlgorithm);
+ Reader& input,
+ /*out*/ PublicKeyAlgorithm& publicKeyAlgorithm,
+ /*out*/ DigestAlgorithm& digestAlgorithm);
-struct SignedDataWithSignature final
-{
-public:
+struct SignedDataWithSignature final {
+ public:
Input data;
Input algorithm;
Input signature;
@@ -560,7 +513,8 @@ public:
// certs [0] EXPLICIT SEQUENCE OF Certificate OPTIONAL }
Result SignedData(Reader& input, /*out*/ Reader& tbs,
/*out*/ SignedDataWithSignature& signedDataWithSignature);
+}
+}
+} // namespace mozilla::pkix::der
-} } } // namespace mozilla::pkix::der
-
-#endif // mozilla_pkix_pkixder_h
+#endif // mozilla_pkix_pkixder_h
diff --git a/lib/mozpkix/include/pkix/pkixnss.h b/lib/mozpkix/include/pkix/pkixnss.h
index 74a9466b5..b181ca541 100644
--- a/lib/mozpkix/include/pkix/pkixnss.h
+++ b/lib/mozpkix/include/pkix/pkixnss.h
@@ -29,7 +29,8 @@
#include "mozpkix/pkixtypes.h"
#include "prerror.h"
-namespace mozilla { namespace pkix {
+namespace mozilla {
+namespace pkix {
// Verifies the PKCS#1.5 signature on the given data using the given RSA public
// key.
@@ -54,10 +55,8 @@ Result VerifyECDSASignedDigestNSS(const SignedDigest& sd,
// TODO: Taking the output buffer as (uint8_t*, size_t) is counter to our
// other, extensive, memory safety efforts in mozilla::pkix, and we should find
// a way to provide a more-obviously-safe interface.
-Result DigestBufNSS(Input item,
- DigestAlgorithm digestAlg,
- /*out*/ uint8_t* digestBuf,
- size_t digestBufLen);
+Result DigestBufNSS(Input item, DigestAlgorithm digestAlg,
+ /*out*/ uint8_t* digestBuf, size_t digestBufLen);
Result MapPRErrorCodeToResult(PRErrorCode errorCode);
PRErrorCode MapResultToPRErrorCode(Result result);
@@ -72,8 +71,7 @@ PRErrorCode MapResultToPRErrorCode(Result result);
static const PRErrorCode ERROR_BASE = -0x4000;
static const PRErrorCode ERROR_LIMIT = ERROR_BASE + 1000;
-enum ErrorCode
-{
+enum ErrorCode {
MOZILLA_PKIX_ERROR_KEY_PINNING_FAILURE = ERROR_BASE + 0,
MOZILLA_PKIX_ERROR_CA_CERT_USED_AS_END_ENTITY = ERROR_BASE + 1,
MOZILLA_PKIX_ERROR_INADEQUATE_KEY_SIZE = ERROR_BASE + 2,
@@ -95,18 +93,14 @@ enum ErrorCode
void RegisterErrorTable();
-inline SECItem UnsafeMapInputToSECItem(Input input)
-{
- SECItem result = {
- siBuffer,
- const_cast<uint8_t*>(input.UnsafeGetData()),
- input.GetLength()
- };
+inline SECItem UnsafeMapInputToSECItem(Input input) {
+ SECItem result = {siBuffer, const_cast<uint8_t*>(input.UnsafeGetData()),
+ input.GetLength()};
static_assert(sizeof(decltype(input.GetLength())) <= sizeof(result.len),
"input.GetLength() must fit in a SECItem");
return result;
}
+}
+} // namespace mozilla::pkix
-} } // namespace mozilla::pkix
-
-#endif // mozilla_pkix_pkixnss_h
+#endif // mozilla_pkix_pkixnss_h
diff --git a/lib/mozpkix/include/pkix/pkixtypes.h b/lib/mozpkix/include/pkix/pkixtypes.h
index e9929f9a5..6b12edbb1 100644
--- a/lib/mozpkix/include/pkix/pkixtypes.h
+++ b/lib/mozpkix/include/pkix/pkixtypes.h
@@ -31,18 +31,17 @@
#include "mozpkix/Time.h"
#include "stdint.h"
-namespace mozilla { namespace pkix {
+namespace mozilla {
+namespace pkix {
-enum class DigestAlgorithm
-{
+enum class DigestAlgorithm {
sha512 = 1,
sha384 = 2,
sha256 = 3,
sha1 = 4,
};
-enum class NamedCurve
-{
+enum class NamedCurve {
// secp521r1 (OID 1.3.132.0.35, RFC 5480)
secp521r1 = 1,
@@ -53,8 +52,7 @@ enum class NamedCurve
secp256r1 = 3,
};
-struct SignedDigest final
-{
+struct SignedDigest final {
Input digest;
DigestAlgorithm digestAlgorithm;
Input signature;
@@ -64,32 +62,29 @@ struct SignedDigest final
enum class EndEntityOrCA { MustBeEndEntity = 0, MustBeCA = 1 };
-enum class KeyUsage : uint8_t
-{
+enum class KeyUsage : uint8_t {
digitalSignature = 0,
- nonRepudiation = 1,
- keyEncipherment = 2,
+ nonRepudiation = 1,
+ keyEncipherment = 2,
dataEncipherment = 3,
- keyAgreement = 4,
- keyCertSign = 5,
+ keyAgreement = 4,
+ keyCertSign = 5,
// cRLSign = 6,
// encipherOnly = 7,
// decipherOnly = 8,
noParticularKeyUsageRequired = 0xff,
};
-enum class KeyPurposeId
-{
+enum class KeyPurposeId {
anyExtendedKeyUsage = 0,
- id_kp_serverAuth = 1, // id-kp-serverAuth
- id_kp_clientAuth = 2, // id-kp-clientAuth
- id_kp_codeSigning = 3, // id-kp-codeSigning
- id_kp_emailProtection = 4, // id-kp-emailProtection
- id_kp_OCSPSigning = 9, // id-kp-OCSPSigning
+ id_kp_serverAuth = 1, // id-kp-serverAuth
+ id_kp_clientAuth = 2, // id-kp-clientAuth
+ id_kp_codeSigning = 3, // id-kp-codeSigning
+ id_kp_emailProtection = 4, // id-kp-emailProtection
+ id_kp_OCSPSigning = 9, // id-kp-OCSPSigning
};
-struct CertPolicyId final
-{
+struct CertPolicyId final {
uint16_t numBytes;
static const uint16_t MAX_BYTES = 24;
uint8_t bytes[MAX_BYTES];
@@ -100,18 +95,16 @@ struct CertPolicyId final
static const CertPolicyId anyPolicy;
};
-enum class TrustLevel
-{
- TrustAnchor = 1, // certificate is a trusted root CA certificate or
- // equivalent *for the given policy*.
- ActivelyDistrusted = 2, // certificate is known to be bad
- InheritsTrust = 3 // certificate must chain to a trust anchor
+enum class TrustLevel {
+ TrustAnchor = 1, // certificate is a trusted root CA certificate or
+ // equivalent *for the given policy*.
+ ActivelyDistrusted = 2, // certificate is known to be bad
+ InheritsTrust = 3 // certificate must chain to a trust anchor
};
// Extensions extracted during the verification flow.
// See TrustDomain::NoteAuxiliaryExtension.
-enum class AuxiliaryExtension
-{
+enum class AuxiliaryExtension {
// Certificate Transparency data, specifically Signed Certificate
// Timestamps (SCTs). See RFC 6962.
@@ -134,15 +127,12 @@ enum class AuxiliaryExtension
// field from the issuer's certificate. serialNumber is the entire DER-encoded
// serial number from the subject certificate (the certificate for which we are
// checking the revocation status).
-struct CertID final
-{
-public:
+struct CertID final {
+ public:
CertID(Input aIssuer, Input aIssuerSubjectPublicKeyInfo, Input aSerialNumber)
- : issuer(aIssuer)
- , issuerSubjectPublicKeyInfo(aIssuerSubjectPublicKeyInfo)
- , serialNumber(aSerialNumber)
- {
- }
+ : issuer(aIssuer),
+ issuerSubjectPublicKeyInfo(aIssuerSubjectPublicKeyInfo),
+ serialNumber(aSerialNumber) {}
const Input issuer;
const Input issuerSubjectPublicKeyInfo;
const Input serialNumber;
@@ -151,9 +141,8 @@ public:
};
typedef std::unique_ptr<CertID> ScopedCertID;
-class DERArray
-{
-public:
+class DERArray {
+ public:
// Returns the number of DER-encoded items in the array.
virtual size_t GetLength() const = 0;
@@ -161,19 +150,19 @@ public:
// (0-indexed). The result is guaranteed to be non-null if i < GetLength(),
// and the result is guaranteed to be nullptr if i >= GetLength().
virtual const Input* GetDER(size_t i) const = 0;
-protected:
- DERArray() { }
- virtual ~DERArray() { }
+
+ protected:
+ DERArray() {}
+ virtual ~DERArray() {}
};
// Applications control the behavior of path building and verification by
// implementing the TrustDomain interface. The TrustDomain is used for all
// cryptography and for determining which certificates are trusted or
// distrusted.
-class TrustDomain
-{
-public:
- virtual ~TrustDomain() { }
+class TrustDomain {
+ public:
+ virtual ~TrustDomain() {}
// Determine the level of trust in the given certificate for the given role.
// This will be called for every certificate encountered during path
@@ -192,9 +181,8 @@ public:
Input candidateCertDER,
/*out*/ TrustLevel& trustLevel) = 0;
- class IssuerChecker
- {
- public:
+ class IssuerChecker {
+ public:
// potentialIssuerDER is the complete DER encoding of the certificate to
// be checked as a potential issuer.
//
@@ -203,9 +191,10 @@ public:
// constraints will be checked in addition to any any name constraints
// contained in potentialIssuerDER.
virtual Result Check(Input potentialIssuerDER,
- /*optional*/ const Input* additionalNameConstraints,
- /*out*/ bool& keepGoing) = 0;
- protected:
+ /*optional*/ const Input* additionalNameConstraints,
+ /*out*/ bool& keepGoing) = 0;
+
+ protected:
IssuerChecker();
virtual ~IssuerChecker();
@@ -259,8 +248,8 @@ public:
// implementation has an efficient way of filtering potential issuers by name
// and/or validity period itself, then it is probably better for performance
// for it to do so.
- virtual Result FindIssuer(Input encodedIssuerName,
- IssuerChecker& checker, Time time) = 0;
+ virtual Result FindIssuer(Input encodedIssuerName, IssuerChecker& checker,
+ Time time) = 0;
// Called as soon as we think we have a valid chain but before revocation
// checks are done. This function can be used to compute additional checks,
@@ -270,7 +259,8 @@ public:
//
// This function may be called multiple times, regardless of whether it
// returns success or failure. It is guaranteed that BuildCertChain will not
- // return Success unless the last call to IsChainValid returns Success. Further,
+ // return Success unless the last call to IsChainValid returns Success.
+ // Further,
// it is guaranteed that when BuildCertChain returns Success the last chain
// passed to IsChainValid is the valid chain that should be used for further
// operations that require the whole chain.
@@ -289,8 +279,8 @@ public:
virtual Result CheckRevocation(EndEntityOrCA endEntityOrCA,
const CertID& certID, Time time,
Duration validityDuration,
- /*optional*/ const Input* stapledOCSPresponse,
- /*optional*/ const Input* aiaExtension) = 0;
+ /*optional*/ const Input* stapledOCSPresponse,
+ /*optional*/ const Input* aiaExtension) = 0;
// Check that the given digest algorithm is acceptable for use in signatures.
//
@@ -307,8 +297,7 @@ public:
// Result::ERROR_INADEQUATE_KEY_SIZE if the key size is not acceptable,
// or another error code if another error occurred.
virtual Result CheckRSAPublicKeyModulusSizeInBits(
- EndEntityOrCA endEntityOrCA,
- unsigned int modulusSizeInBits) = 0;
+ EndEntityOrCA endEntityOrCA, unsigned int modulusSizeInBits) = 0;
// Verify the given RSA PKCS#1.5 signature on the given digest using the
// given RSA public key.
@@ -317,9 +306,8 @@ public:
// function, so it is not necessary to repeat those checks here. However,
// VerifyRSAPKCS1SignedDigest *is* responsible for doing the mathematical
// verification of the public key validity as specified in NIST SP 800-56A.
- virtual Result VerifyRSAPKCS1SignedDigest(
- const SignedDigest& signedDigest,
- Input subjectPublicKeyInfo) = 0;
+ virtual Result VerifyRSAPKCS1SignedDigest(const SignedDigest& signedDigest,
+ Input subjectPublicKeyInfo) = 0;
// Check that the given named ECC curve is acceptable for ECDSA signatures.
//
@@ -374,12 +362,11 @@ public:
// TODO: Taking the output buffer as (uint8_t*, size_t) is counter to our
// other, extensive, memory safety efforts in mozilla::pkix, and we should
// find a way to provide a more-obviously-safe interface.
- virtual Result DigestBuf(Input item,
- DigestAlgorithm digestAlg,
- /*out*/ uint8_t* digestBuf,
- size_t digestBufLen) = 0;
-protected:
- TrustDomain() { }
+ virtual Result DigestBuf(Input item, DigestAlgorithm digestAlg,
+ /*out*/ uint8_t* digestBuf, size_t digestBufLen) = 0;
+
+ protected:
+ TrustDomain() {}
TrustDomain(const TrustDomain&) = delete;
void operator=(const TrustDomain&) = delete;
@@ -390,25 +377,24 @@ enum class FallBackToSearchWithinSubject { No = 0, Yes = 1 };
// Applications control the behavior of matching presented name information from
// a certificate against a reference hostname by implementing the
// NameMatchingPolicy interface. Used in concert with CheckCertHostname.
-class NameMatchingPolicy
-{
-public:
- virtual ~NameMatchingPolicy() { }
+class NameMatchingPolicy {
+ public:
+ virtual ~NameMatchingPolicy() {}
// Given that the certificate in question has a notBefore field with the given
// value, should name matching fall back to searching within the subject
// common name field?
virtual Result FallBackToCommonName(
- Time notBefore,
- /*out*/ FallBackToSearchWithinSubject& fallBackToCommonName) = 0;
+ Time notBefore,
+ /*out*/ FallBackToSearchWithinSubject& fallBackToCommonName) = 0;
-protected:
- NameMatchingPolicy() { }
+ protected:
+ NameMatchingPolicy() {}
NameMatchingPolicy(const NameMatchingPolicy&) = delete;
void operator=(const NameMatchingPolicy&) = delete;
};
+}
+} // namespace mozilla::pkix
-} } // namespace mozilla::pkix
-
-#endif // mozilla_pkix_pkixtypes_h
+#endif // mozilla_pkix_pkixtypes_h
diff --git a/lib/mozpkix/include/pkix/pkixutil.h b/lib/mozpkix/include/pkix/pkixutil.h
index 3fc02c56e..ca5b5a2d7 100644
--- a/lib/mozpkix/include/pkix/pkixutil.h
+++ b/lib/mozpkix/include/pkix/pkixutil.h
@@ -27,7 +27,8 @@
#include "mozpkix/pkixder.h"
-namespace mozilla { namespace pkix {
+namespace mozilla {
+namespace pkix {
// During path building and verification, we build a linked list of BackCerts
// from the current cert toward the end-entity certificate. The linked list
@@ -38,19 +39,15 @@ namespace mozilla { namespace pkix {
// Each BackCert contains pointers to all the given certificate's extensions
// so that we can parse the extension block once and then process the
// extensions in an order that may be different than they appear in the cert.
-class BackCert final
-{
-public:
+class BackCert final {
+ public:
// certDER and childCert must be valid for the lifetime of BackCert.
- BackCert(Input aCertDER,
- EndEntityOrCA aEndEntityOrCA,
+ BackCert(Input aCertDER, EndEntityOrCA aEndEntityOrCA,
const BackCert* aChildCert)
- : der(aCertDER)
- , endEntityOrCA(aEndEntityOrCA)
- , childCert(aChildCert)
- , version(der::Version::Uninitialized)
- {
- }
+ : der(aCertDER),
+ endEntityOrCA(aEndEntityOrCA),
+ childCert(aChildCert),
+ version(der::Version::Uninitialized) {}
Result Init();
@@ -68,67 +65,47 @@ public:
// RFC 5280 names for everything.
const Input GetValidity() const { return validity; }
const Input GetSubject() const { return subject; }
- const Input GetSubjectPublicKeyInfo() const
- {
- return subjectPublicKeyInfo;
- }
- const Input* GetAuthorityInfoAccess() const
- {
+ const Input GetSubjectPublicKeyInfo() const { return subjectPublicKeyInfo; }
+ const Input* GetAuthorityInfoAccess() const {
return MaybeInput(authorityInfoAccess);
}
- const Input* GetBasicConstraints() const
- {
+ const Input* GetBasicConstraints() const {
return MaybeInput(basicConstraints);
}
- const Input* GetCertificatePolicies() const
- {
+ const Input* GetCertificatePolicies() const {
return MaybeInput(certificatePolicies);
}
- const Input* GetExtKeyUsage() const
- {
- return MaybeInput(extKeyUsage);
- }
- const Input* GetKeyUsage() const
- {
- return MaybeInput(keyUsage);
- }
- const Input* GetInhibitAnyPolicy() const
- {
+ const Input* GetExtKeyUsage() const { return MaybeInput(extKeyUsage); }
+ const Input* GetKeyUsage() const { return MaybeInput(keyUsage); }
+ const Input* GetInhibitAnyPolicy() const {
return MaybeInput(inhibitAnyPolicy);
}
- const Input* GetNameConstraints() const
- {
+ const Input* GetNameConstraints() const {
return MaybeInput(nameConstraints);
}
- const Input* GetSubjectAltName() const
- {
- return MaybeInput(subjectAltName);
- }
- const Input* GetRequiredTLSFeatures() const
- {
+ const Input* GetSubjectAltName() const { return MaybeInput(subjectAltName); }
+ const Input* GetRequiredTLSFeatures() const {
return MaybeInput(requiredTLSFeatures);
}
- const Input* GetSignedCertificateTimestamps() const
- {
+ const Input* GetSignedCertificateTimestamps() const {
return MaybeInput(signedCertificateTimestamps);
}
-private:
+ private:
const Input der;
-public:
+ public:
const EndEntityOrCA endEntityOrCA;
BackCert const* const childCert;
-private:
+ private:
// When parsing certificates in BackCert::Init, we don't accept empty
// extensions. Consequently, we don't have to store a distinction between
// empty extensions and extensions that weren't included. However, when
// *processing* extensions, we distinguish between whether an extension was
// included or not based on whetehr the GetXXX function for the extension
// returns nullptr.
- static inline const Input* MaybeInput(const Input& item)
- {
+ static inline const Input* MaybeInput(const Input& item) {
return item.GetLength() > 0 ? &item : nullptr;
}
@@ -155,7 +132,7 @@ private:
Input subjectAltName;
Input criticalNetscapeCertificateType;
Input requiredTLSFeatures;
- Input signedCertificateTimestamps; // RFC 6962 (Certificate Transparency)
+ Input signedCertificateTimestamps; // RFC 6962 (Certificate Transparency)
Result RememberExtension(Reader& extnID, Input extnValue, bool critical,
/*out*/ bool& understood);
@@ -164,29 +141,24 @@ private:
void operator=(const BackCert&) = delete;
};
-class NonOwningDERArray final : public DERArray
-{
-public:
- NonOwningDERArray()
- : numItems(0)
- {
+class NonOwningDERArray final : public DERArray {
+ public:
+ NonOwningDERArray() : numItems(0) {
// we don't need to initialize the items array because we always check
// numItems before accessing i.
}
size_t GetLength() const override { return numItems; }
- const Input* GetDER(size_t i) const override
- {
+ const Input* GetDER(size_t i) const override {
return i < numItems ? &items[i] : nullptr;
}
- Result Append(Input der)
- {
+ Result Append(Input der) {
if (numItems >= MAX_LENGTH) {
return Result::FATAL_ERROR_INVALID_ARGS;
}
- Result rv = items[numItems].Init(der); // structure assignment
+ Result rv = items[numItems].Init(der); // structure assignment
if (rv != Success) {
return rv;
}
@@ -196,8 +168,9 @@ public:
// Public so we can static_assert on this. Keep in sync with MAX_SUBCA_COUNT.
static const size_t MAX_LENGTH = 8;
-private:
- Input items[MAX_LENGTH]; // avoids any heap allocations
+
+ private:
+ Input items[MAX_LENGTH]; // avoids any heap allocations
size_t numItems;
NonOwningDERArray(const NonOwningDERArray&) = delete;
@@ -206,25 +179,22 @@ private:
// Extracts the SignedCertificateTimestampList structure which is encoded as an
// OCTET STRING within the X.509v3 / OCSP extensions (see RFC 6962 section 3.3).
-Result
-ExtractSignedCertificateTimestampListFromExtension(Input extnValue,
- Input& sctList);
+Result ExtractSignedCertificateTimestampListFromExtension(Input extnValue,
+ Input& sctList);
-inline unsigned int
-DaysBeforeYear(unsigned int year)
-{
+inline unsigned int DaysBeforeYear(unsigned int year) {
assert(year <= 9999);
- return ((year - 1u) * 365u)
- + ((year - 1u) / 4u) // leap years are every 4 years,
- - ((year - 1u) / 100u) // except years divisible by 100,
- + ((year - 1u) / 400u); // except years divisible by 400.
+ return ((year - 1u) * 365u) +
+ ((year - 1u) / 4u) // leap years are every 4 years,
+ - ((year - 1u) / 100u) // except years divisible by 100,
+ + ((year - 1u) / 400u); // except years divisible by 400.
}
-static const size_t MAX_DIGEST_SIZE_IN_BYTES = 512 / 8; // sha-512
+static const size_t MAX_DIGEST_SIZE_IN_BYTES = 512 / 8; // sha-512
Result DigestSignedData(TrustDomain& trustDomain,
const der::SignedDataWithSignature& signedData,
- /*out*/ uint8_t(&digestBuf)[MAX_DIGEST_SIZE_IN_BYTES],
+ /*out*/ uint8_t (&digestBuf)[MAX_DIGEST_SIZE_IN_BYTES],
/*out*/ der::PublicKeyAlgorithm& publicKeyAlg,
/*out*/ SignedDigest& signedDigest);
@@ -240,9 +210,9 @@ Result VerifySignedData(TrustDomain& trustDomain,
// Extracts the key parameters from |subjectPublicKeyInfo|, invoking
// the relevant methods of |trustDomain|.
-Result
-CheckSubjectPublicKeyInfo(Input subjectPublicKeyInfo, TrustDomain& trustDomain,
- EndEntityOrCA endEntityOrCA);
+Result CheckSubjectPublicKeyInfo(Input subjectPublicKeyInfo,
+ TrustDomain& trustDomain,
+ EndEntityOrCA endEntityOrCA);
// In a switch over an enum, sometimes some compilers are not satisfied that
// all control flow paths have been considered unless there is a default case.
@@ -271,21 +241,25 @@ CheckSubjectPublicKeyInfo(Input subjectPublicKeyInfo, TrustDomain& trustDomain,
// (-W-covered-switch-default). Versions prior to 3.5 warned about unreachable
// code in such default cases (-Wunreachable-code) even when
// -W-covered-switch-default was disabled, but that changed in Clang 3.5.
-#define MOZILLA_PKIX_UNREACHABLE_DEFAULT_ENUM // empty
+#define MOZILLA_PKIX_UNREACHABLE_DEFAULT_ENUM // empty
#elif defined(__GNUC__)
// GCC will warn if not all cases are covered (-Wswitch-enum). It does not
// assume that the default case is unreachable.
#define MOZILLA_PKIX_UNREACHABLE_DEFAULT_ENUM \
- default: assert(false); __builtin_unreachable();
+ default: \
+ assert(false); \
+ __builtin_unreachable();
#elif defined(_MSC_VER)
// MSVC will warn if not all cases are covered (C4061, level 4). It does not
// assume that the default case is unreachable.
#define MOZILLA_PKIX_UNREACHABLE_DEFAULT_ENUM \
- default: assert(false); __assume(0);
+ default: \
+ assert(false); \
+ __assume(0);
#else
#error Unsupported compiler for MOZILLA_PKIX_UNREACHABLE_DEFAULT.
#endif
+}
+} // namespace mozilla::pkix
-} } // namespace mozilla::pkix
-
-#endif // mozilla_pkix_pkixutil_h
+#endif // mozilla_pkix_pkixutil_h
diff --git a/nss-tool/enc/enctool.h b/nss-tool/enc/enctool.h
index df5f44950..f2296bb26 100644
--- a/nss-tool/enc/enctool.h
+++ b/nss-tool/enc/enctool.h
@@ -8,8 +8,8 @@
#include <string>
#include <vector>
#include "argparse.h"
-#include "prerror.h"
#include "nss_scoped_ptrs.h"
+#include "prerror.h"
#include "tool.h"
class EncTool : public Tool {
View Lorry Controller Status