OLD | NEW |
---|---|
1 // Copyright 2014 The Chromium Authors. All rights reserved. | 1 // Copyright 2014 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 #ifndef NET_CERT_CT_POLICY_ENFORCER_H | 4 #ifndef NET_CERT_CT_POLICY_ENFORCER_H |
5 #define NET_CERT_CT_POLICY_ENFORCER_H | 5 #define NET_CERT_CT_POLICY_ENFORCER_H |
6 | 6 |
7 #include <stddef.h> | 7 #include <stddef.h> |
8 | 8 |
9 #include "net/base/net_export.h" | 9 #include "net/base/net_export.h" |
10 #include "net/cert/cert_status_flags.h" | |
10 #include "net/log/net_log.h" | 11 #include "net/log/net_log.h" |
11 | 12 |
12 namespace net { | 13 namespace net { |
13 | 14 |
14 namespace ct { | 15 namespace ct { |
15 | 16 |
16 struct CTVerifyResult; | 17 struct CTVerifyResult; |
17 class EVCertsWhitelist; | 18 class EVCertsWhitelist; |
18 | 19 |
19 } // namespace ct | 20 } // namespace ct |
20 | 21 |
21 class X509Certificate; | 22 class X509Certificate; |
22 | 23 |
23 // Class for checking that a given certificate conforms to security-related | 24 // Class for checking that a given certificate conforms to |
24 // policies. | 25 // Certificate-Transparency-related policies. |
26 // | |
27 // There are two methods for checking policies: | |
28 // DoesConformToCertPolicy() which applies to certificates in general, | |
29 // and DoesConformToEVPolicy() which applies to EV certificates. | |
Ryan Sleevi
2016/01/23 02:08:10
OK, so, a concrete suggestion would be declaring w
estark
2016/01/24 16:47:46
I'm not understanding something... It seems to me
Ryan Sleevi
2016/01/25 22:30:42
Yeah, perhaps "valid" is an overloaded term. See b
| |
25 class NET_EXPORT CTPolicyEnforcer { | 30 class NET_EXPORT CTPolicyEnforcer { |
26 public: | 31 public: |
27 CTPolicyEnforcer() {} | 32 CTPolicyEnforcer() {} |
28 virtual ~CTPolicyEnforcer() {} | 33 virtual ~CTPolicyEnforcer() {} |
29 | 34 |
30 // Returns true if the collection of SCTs for the given certificate | 35 // Returns true if the collection of SCTs for the given |certificate| |
31 // conforms with the CT/EV policy. Conformance details are logged to | 36 // conforms with the CT certificate policy. |
32 // |net_log|. | |
33 // |cert| is the certificate for which the SCTs apply. | 37 // |cert| is the certificate for which the SCTs apply. |
34 // |ct_result| must contain the result of verifying any SCTs associated with | 38 // |ct_result| must contain the result of verifying any SCTs associated with |
35 // |cert| prior to invoking this method. | 39 // |cert| prior to invoking this method. |
36 virtual bool DoesConformToCTEVPolicy(X509Certificate* cert, | 40 virtual bool DoesConformToCertPolicy(X509Certificate* cert, |
37 const ct::EVCertsWhitelist* ev_whitelist, | 41 const ct::CTVerifyResult& ct_result); |
38 const ct::CTVerifyResult& ct_result, | 42 |
39 const BoundNetLog& net_log); | 43 // Returns true if the collection of SCTs for the given |certificate| |
44 // conforms with the EV certificate policy. Conformance details are | |
45 // logged to |net_log|. | |
46 // |cert| is the certificate for which the SCTs apply. | |
47 // |ct_result| must contain the result of verifying any SCTs associated with | |
48 // |cert| prior to invoking this method. | |
49 // |ev_whitelist| is a whitelist of EV certificates for which CT policy need | |
50 // not apply. | |
51 virtual bool DoesConformToEVPolicy(X509Certificate* cert, | |
52 const ct::CTVerifyResult& ct_result, | |
53 const ct::EVCertsWhitelist* ev_whitelist, | |
54 const BoundNetLog& net_log); | |
40 }; | 55 }; |
41 | 56 |
42 } // namespace net | 57 } // namespace net |
43 | 58 |
44 #endif // NET_CERT_CT_POLICY_ENFORCER_H | 59 #endif // NET_CERT_CT_POLICY_ENFORCER_H |
OLD | NEW |