net/cert/ct_verifier.h - Issue 1216153010: Certificate Transparency: Add observer for Signed Certificate Timestamps

Side by Side Diff: net/cert/ct_verifier.h

Issue 1216153010: Certificate Transparency: Add observer for Signed Certificate Timestamps (Closed) Base URL: https://chromium.googlesource.com/chromium/src.git@master

Patch Set: Addressed review comments Created 5 years, 5 months ago

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Jump to:

View unified diff | Download patch

OLD	NEW
1 // Copyright 2013 The Chromium Authors. All rights reserved.	1 // Copyright 2013 The Chromium Authors. All rights reserved.

2 // Use of this source code is governed by a BSD-style license that can be	2 // Use of this source code is governed by a BSD-style license that can be

3 // found in the LICENSE file.	3 // found in the LICENSE file.

4	4

5 #ifndef NET_CERT_CT_VERIFIER_H_	5 #ifndef NET_CERT_CT_VERIFIER_H_

6 #define NET_CERT_CT_VERIFIER_H_	6 #define NET_CERT_CT_VERIFIER_H_

7	7

	8 #include <string>

	9

	10 #include "base/memory/ref_counted.h"
	Ryan Sleevi 2015/07/02 14:25:46 Unused Unused Eran Messeri 2015/07/02 15:04:38 Done. Show quoted text On 2015/07/02 14:25:46, Ryan Sleevi (slow through 7-15 wrote: > Unused Done.
8 #include "net/base/net_export.h"	11 #include "net/base/net_export.h"

9	12

10 namespace net {	13 namespace net {

11	14

12 namespace ct {	15 namespace ct {

13 struct CTVerifyResult;	16 struct CTVerifyResult;

	17 struct SignedCertificateTimestamp;

14 } // namespace ct	18 } // namespace ct

15	19

16 class BoundNetLog;	20 class BoundNetLog;

	21 class CTLogVerifier;

17 class X509Certificate;	22 class X509Certificate;

18	23

19 // Interface for verifying Signed Certificate Timestamps over a certificate.	24 // Interface for verifying Signed Certificate Timestamps over a certificate.

20 class NET_EXPORT CTVerifier {	25 class NET_EXPORT CTVerifier {

21 public:	26 public:

	27 class NET_EXPORT Observer {

	28 public:

	29 // Called for each Signed Certificate Timestamp from a known log that vas

	30 // verified successfully (i.e. the signature verifies). \|sct\| is the

	31 // Signed Certificate Timestamp, \|cert\| is the certificate it applies to.

	32 // The certificate is needed to calculate the hash of the log entry,

	33 // necessary for checking inclusion in the log.

	34 virtual void OnSCTVerified(X509Certificate* cert,

	35 const ct::SignedCertificateTimestamp* sct) = 0;

	36 };

	37

22 virtual ~CTVerifier() {}	38 virtual ~CTVerifier() {}

23	39

24 // Verifies SCTs embedded in the certificate itself, SCTs embedded in a	40 // Verifies SCTs embedded in the certificate itself, SCTs embedded in a

25 // stapled OCSP response, and SCTs obtained via the	41 // stapled OCSP response, and SCTs obtained via the

26 // signed_certificate_timestamp TLS extension on the given \|cert\|.	42 // signed_certificate_timestamp TLS extension on the given \|cert\|.

27 // A certificate is permitted but not required to use multiple sources for	43 // A certificate is permitted but not required to use multiple sources for

28 // SCTs. It is expected that most certificates will use only one source	44 // SCTs. It is expected that most certificates will use only one source

29 // (embedding, TLS extension or OCSP stapling). If no stapled OCSP response	45 // (embedding, TLS extension or OCSP stapling). If no stapled OCSP response

30 // is available, \|stapled_ocsp_response\| should be an empty string. If no SCT	46 // is available, \|stapled_ocsp_response\| should be an empty string. If no SCT

31 // TLS extension was negotiated, \|sct_list_from_tls_extension\| should be an	47 // TLS extension was negotiated, \|sct_list_from_tls_extension\| should be an

32 // empty string. \|result\| will be filled with the SCTs present, divided into	48 // empty string. \|result\| will be filled with the SCTs present, divided into

33 // categories based on the verification result.	49 // categories based on the verification result.

34 virtual int Verify(X509Certificate* cert,	50 virtual int Verify(X509Certificate* cert,

35 const std::string& stapled_ocsp_response,	51 const std::string& stapled_ocsp_response,

36 const std::string& sct_list_from_tls_extension,	52 const std::string& sct_list_from_tls_extension,

37 ct::CTVerifyResult* result,	53 ct::CTVerifyResult* result,

38 const BoundNetLog& net_log) = 0;	54 const BoundNetLog& net_log) = 0;

	55

	56 // Registers \|observer\| to receive notifications of validated SCTs. Does not

	57 // take ownership of the observer as the observer may be performing

	58 // URLRequests which have to be cancelled before this object is destroyed.
	Ryan Sleevi 2015/07/02 14:25:46 comment nit: // Setting \|observer\| to nullptr has comment nit: // Setting \|observer\| to nullptr has the effect of stopping all notifications. Eran Messeri 2015/07/02 15:04:38 Done. Show quoted text On 2015/07/02 14:25:46, Ryan Sleevi (slow through 7-15 wrote: > comment nit: > // Setting \|observer\| to nullptr has the effect of stopping all notifications. Done.
	59 virtual void SetObserver(Observer* observer) = 0;

39 };	60 };

40	61

41 } // namespace net	62 } // namespace net

42	63

43 #endif // NET_CERT_CT_VERIFIER_H_	64 #endif // NET_CERT_CT_VERIFIER_H_

OLD	NEW

« no previous file with comments | « no previous file | net/cert/multi_log_ct_verifier.h » ('j') | net/cert/multi_log_ct_verifier_unittest.cc » ('J')