OLD | NEW |
---|---|
1 // Copyright 2013 The Chromium Authors. All rights reserved. | 1 // Copyright 2013 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 #ifndef NET_CERT_CT_VERIFIER_H_ | 5 #ifndef NET_CERT_CT_VERIFIER_H_ |
6 #define NET_CERT_CT_VERIFIER_H_ | 6 #define NET_CERT_CT_VERIFIER_H_ |
7 | 7 |
8 #include "base/memory/ref_counted.h" | |
9 #include "base/observer_list.h" | |
8 #include "net/base/net_export.h" | 10 #include "net/base/net_export.h" |
9 | 11 |
10 namespace net { | 12 namespace net { |
11 | 13 |
12 namespace ct { | 14 namespace ct { |
13 struct CTVerifyResult; | 15 struct CTVerifyResult; |
16 struct SignedCertificateTimestamp; | |
14 } // namespace ct | 17 } // namespace ct |
15 | 18 |
16 class BoundNetLog; | 19 class BoundNetLog; |
20 class CTLogVerifier; | |
17 class X509Certificate; | 21 class X509Certificate; |
18 | 22 |
19 // Interface for verifying Signed Certificate Timestamps over a certificate. | 23 // Interface for verifying Signed Certificate Timestamps over a certificate. |
20 class NET_EXPORT CTVerifier { | 24 class NET_EXPORT CTVerifier { |
21 public: | 25 public: |
22 virtual ~CTVerifier() {} | 26 CTVerifier(); |
27 virtual ~CTVerifier(); | |
23 | 28 |
24 // Verifies SCTs embedded in the certificate itself, SCTs embedded in a | 29 // Verifies SCTs embedded in the certificate itself, SCTs embedded in a |
25 // stapled OCSP response, and SCTs obtained via the | 30 // stapled OCSP response, and SCTs obtained via the |
26 // signed_certificate_timestamp TLS extension on the given |cert|. | 31 // signed_certificate_timestamp TLS extension on the given |cert|. |
27 // A certificate is permitted but not required to use multiple sources for | 32 // A certificate is permitted but not required to use multiple sources for |
28 // SCTs. It is expected that most certificates will use only one source | 33 // SCTs. It is expected that most certificates will use only one source |
29 // (embedding, TLS extension or OCSP stapling). If no stapled OCSP response | 34 // (embedding, TLS extension or OCSP stapling). If no stapled OCSP response |
30 // is available, |stapled_ocsp_response| should be an empty string. If no SCT | 35 // is available, |stapled_ocsp_response| should be an empty string. If no SCT |
31 // TLS extension was negotiated, |sct_list_from_tls_extension| should be an | 36 // TLS extension was negotiated, |sct_list_from_tls_extension| should be an |
32 // empty string. |result| will be filled with the SCTs present, divided into | 37 // empty string. |result| will be filled with the SCTs present, divided into |
33 // categories based on the verification result. | 38 // categories based on the verification result. |
34 virtual int Verify(X509Certificate* cert, | 39 virtual int Verify(X509Certificate* cert, |
35 const std::string& stapled_ocsp_response, | 40 const std::string& stapled_ocsp_response, |
36 const std::string& sct_list_from_tls_extension, | 41 const std::string& sct_list_from_tls_extension, |
37 ct::CTVerifyResult* result, | 42 ct::CTVerifyResult* result, |
38 const BoundNetLog& net_log) = 0; | 43 const BoundNetLog& net_log) = 0; |
44 | |
45 class NET_EXPORT Observer { | |
46 public: | |
47 virtual ~Observer() {} | |
48 | |
davidben
2015/05/07 21:59:38
Add a comment for when this is called and what |ve
Eran Messeri
2015/07/10 13:15:48
Done.
| |
49 virtual void OnSCTVerified(const ct::SignedCertificateTimestamp* sct, | |
50 CTLogVerifier* verifier) {} | |
davidben
2015/05/07 21:59:38
I wonder if this is better in MultiLogCTVerifier i
Eran Messeri
2015/07/10 13:15:48
The distinction between CTVerifier and MultiLogCTV
Ryan Sleevi
2015/07/10 13:45:02
I seem to recall us discussing this in person and
Ryan Sleevi
2015/07/10 13:45:02
Well, no, it was somewhat intentional, not artific
Eran Messeri
2015/07/13 10:58:22
Acknowledged - the CTLogVerifier* is not needed he
| |
51 | |
52 protected: | |
53 Observer() {} | |
54 | |
55 private: | |
56 DISALLOW_COPY_AND_ASSIGN(Observer); | |
57 }; | |
58 | |
59 // Registers |observer| to receive notifications of validated SCTs. The | |
60 // thread on which this is called is the thread on which |observer| will be | |
61 // called back with notifications. | |
davidben
2015/05/07 21:59:38
Is this true? We're not using an ObserverListThrea
Eran Messeri
2015/07/10 13:15:48
Right, corrected the comment.
| |
62 void AddObserver(Observer* observer); | |
63 | |
64 // Unregisters |observer| from receiving notifications. This must be called | |
65 // on the same thread on which AddObserver() was called. | |
66 void RemoveObserver(Observer* observer); | |
67 | |
68 protected: | |
69 void NotifyObserversOfSCTVerified( | |
70 scoped_refptr<ct::SignedCertificateTimestamp> sct, | |
71 CTLogVerifier* verifier); | |
72 | |
73 private: | |
74 ObserverList<Observer> observer_list_; | |
75 | |
76 DISALLOW_COPY_AND_ASSIGN(CTVerifier); | |
39 }; | 77 }; |
40 | 78 |
41 } // namespace net | 79 } // namespace net |
42 | 80 |
43 #endif // NET_CERT_CT_VERIFIER_H_ | 81 #endif // NET_CERT_CT_VERIFIER_H_ |
OLD | NEW |