OLD | NEW |
---|---|
1 // Copyright 2014 The Chromium Authors. All rights reserved. | 1 // Copyright 2014 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 #ifndef NET_CERT_CT_POLICY_ENFORCER_H | 5 #ifndef NET_CERT_CT_POLICY_ENFORCER_H |
6 #define NET_CERT_CT_POLICY_ENFORCER_H | 6 #define NET_CERT_CT_POLICY_ENFORCER_H |
7 | 7 |
8 #include <stddef.h> | 8 #include <stddef.h> |
9 #include <vector> | 9 #include <vector> |
10 | 10 |
11 #include "net/base/net_export.h" | 11 #include "net/base/net_export.h" |
12 #include "net/cert/signed_certificate_timestamp.h" | 12 #include "net/cert/signed_certificate_timestamp.h" |
13 #include "net/log/net_log.h" | 13 #include "net/log/net_log.h" |
14 | 14 |
15 namespace net { | 15 namespace net { |
16 | 16 |
17 namespace ct { | 17 namespace ct { |
18 | 18 |
19 class EVCertsWhitelist; | 19 class EVCertsWhitelist; |
20 enum class CertPolicyCompliance; | |
20 enum class EVPolicyCompliance; | 21 enum class EVPolicyCompliance; |
21 | 22 |
22 } // namespace ct | 23 } // namespace ct |
23 | 24 |
24 class X509Certificate; | 25 class X509Certificate; |
25 | 26 |
26 using SCTList = std::vector<scoped_refptr<ct::SignedCertificateTimestamp>>; | 27 using SCTList = std::vector<scoped_refptr<ct::SignedCertificateTimestamp>>; |
27 | 28 |
28 // Class for checking that a given certificate conforms to security-related | 29 // Class for checking that a given certificate conforms to |
30 // Certificate Transparency-related policies. | |
31 // | |
32 // Each method can be called independently, to determine whether | |
33 // or not it complies with a given policy. | |
34 // | |
35 // For example, to determine if a certificate complies with the | |
36 // EV certificate policy, callers need only to call | |
37 // DoesConformToEVPolicy() - it is not necessary to first check | |
38 // whether or not DoesConformToCertPolicy(). | |
39 // | |
40 // However, consider the case where a given certificate is desired | |
41 // to be EV, but, if it does not conform to the EV policy, will | |
42 // be downgraded to DV. In this case, it's necessary to check if | |
43 // it complies with either policy. This can be done one of two | |
44 // ways, reflected in pseudo-code below: | |
45 // | |
46 // Recommended: | |
47 // // Checks EV certificates against the EV policy. If the | |
48 // // certificate fails, it will be downgraded to DV, in which | |
49 // // case, the DV policy will apply. | |
50 // bool is_valid_cert_policy = DoesConformToCertPolicy(...); | |
51 // bool is_valid_ev_policy = is_ev && DoesConformToEVPolicy(...); | |
52 // if (!is_valid_ev_policy) | |
53 // is_ev = false; | |
54 // is_valid_ct = is_valid_ev_policy || is_valid_cert_policy; | |
55 // | |
56 // NOT recommended: | |
57 // // Checks all certificates against the basic policy, and only | |
58 // // if they meet the baseline policy, check EV. | |
59 // bool conforms_to_cert_policy = DoesConformToCertPolicy(...); | |
60 // if (conforms_to_cert_policy && is_ev) { | |
61 // conforms_to_cert_policy = DoesConformToEVPolicy(...); | |
62 // } | |
63 // | |
64 // The reason the second form is NOT recommended is that the EV and Cert | |
65 // policies may be completely independent: a certificate might fail the | |
66 // cert policy but pass the EV policy (because, for example, the EV | |
67 // policy supports whitelisting certificates). Or, conversely, the EV | |
68 // policy might have stricter SCT requirements, so that a certificate | |
69 // passes the certificate policy but fails the EV policy. For this | |
70 // reason, callers are encouraged to check the policy specific to the | |
71 // certificate type being validated, and only call other methods if they | |
72 // are changing the type of certificate because it failed one or more | |
29 // policies. | 73 // policies. |
30 class NET_EXPORT CTPolicyEnforcer { | 74 class NET_EXPORT CTPolicyEnforcer { |
31 public: | 75 public: |
32 CTPolicyEnforcer() {} | 76 CTPolicyEnforcer() {} |
33 virtual ~CTPolicyEnforcer() {} | 77 virtual ~CTPolicyEnforcer() {} |
34 | 78 |
79 // Returns the CT certificate policy compliance status for a given | |
80 // certificate and collection of SCTs. | |
81 // |cert| is the certificate for which to check compliance, and | |
82 // ||verified_scts| contains any/all SCTs associated with |cert| that | |
83 // |have been verified (well-formed, issued by known logs, and | |
84 // |applying to |cert|). | |
85 virtual ct::CertPolicyCompliance DoesConformToCertPolicy( | |
86 X509Certificate* cert, | |
87 const std::vector<scoped_refptr<ct::SignedCertificateTimestamp>>& | |
88 verified_scts, | |
Ryan Sleevi
2016/02/22 23:31:22
Why isn't this "const SCTList& verified_scts" ?
estark
2016/02/23 06:31:33
Done.
| |
89 const BoundNetLog& net_log); | |
90 | |
35 // Returns the CT/EV policy compliance status for a given certificate | 91 // Returns the CT/EV policy compliance status for a given certificate |
36 // and collection of SCTs. | 92 // and collection of SCTs. |
37 // |cert| is the certificate for which to check compliance, and | 93 // |cert| is the certificate for which to check compliance, and |
38 // |verified_scts| contains any/all SCTs associated with |cert| that | 94 // ||verified_scts| contains any/all SCTs associated with |cert| that |
39 // have been verified (well-formed, issued by known logs, and applying to | 95 // |have been verified (well-formed, issued by known logs, and |
40 // |cert|). | 96 // |applying to |cert|). |
41 virtual ct::EVPolicyCompliance DoesConformToCTEVPolicy( | 97 virtual ct::EVPolicyCompliance DoesConformToCTEVPolicy( |
42 X509Certificate* cert, | 98 X509Certificate* cert, |
43 const ct::EVCertsWhitelist* ev_whitelist, | 99 const ct::EVCertsWhitelist* ev_whitelist, |
44 const SCTList& verified_scts, | 100 const SCTList& verified_scts, |
45 const BoundNetLog& net_log); | 101 const BoundNetLog& net_log); |
46 }; | 102 }; |
47 | 103 |
48 } // namespace net | 104 } // namespace net |
49 | 105 |
50 #endif // NET_CERT_CT_POLICY_ENFORCER_H | 106 #endif // NET_CERT_CT_POLICY_ENFORCER_H |
OLD | NEW |