OLD | NEW |
1 // Copyright 2014 The Chromium Authors. All rights reserved. | 1 // Copyright 2014 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 #ifndef NET_CERT_CT_POLICY_ENFORCER_H | 5 #ifndef NET_CERT_CT_POLICY_ENFORCER_H |
6 #define NET_CERT_CT_POLICY_ENFORCER_H | 6 #define NET_CERT_CT_POLICY_ENFORCER_H |
7 | 7 |
8 #include <stddef.h> | 8 #include <stddef.h> |
9 #include <vector> | 9 #include <vector> |
10 | 10 |
11 #include "net/base/net_export.h" | 11 #include "net/base/net_export.h" |
12 #include "net/cert/signed_certificate_timestamp.h" | 12 #include "net/cert/signed_certificate_timestamp.h" |
13 #include "net/log/net_log.h" | 13 #include "net/log/net_log.h" |
14 | 14 |
15 namespace net { | 15 namespace net { |
16 | 16 |
17 namespace ct { | 17 namespace ct { |
18 | 18 |
19 class EVCertsWhitelist; | 19 class EVCertsWhitelist; |
| 20 enum class CertPolicyCompliance; |
20 enum class EVPolicyCompliance; | 21 enum class EVPolicyCompliance; |
21 | 22 |
22 } // namespace ct | 23 } // namespace ct |
23 | 24 |
24 class X509Certificate; | 25 class X509Certificate; |
25 | 26 |
26 using SCTList = std::vector<scoped_refptr<ct::SignedCertificateTimestamp>>; | 27 using SCTList = std::vector<scoped_refptr<ct::SignedCertificateTimestamp>>; |
27 | 28 |
28 // Class for checking that a given certificate conforms to security-related | 29 // Class for checking that a given certificate conforms to |
| 30 // Certificate Transparency-related policies. |
| 31 // |
| 32 // Each method can be called independently, to determine whether |
| 33 // or not it complies with a given policy. |
| 34 // |
| 35 // For example, to determine if a certificate complies with the |
| 36 // EV certificate policy, callers need only to call |
| 37 // DoesConformToEVPolicy() - it is not necessary to first check |
| 38 // whether or not DoesConformToCertPolicy(). |
| 39 // |
| 40 // However, consider the case where a given certificate is desired |
| 41 // to be EV, but, if it does not conform to the EV policy, will |
| 42 // be downgraded to DV. In this case, it's necessary to check if |
| 43 // it complies with either policy. This can be done one of two |
| 44 // ways, reflected in pseudo-code below: |
| 45 // |
| 46 // Recommended: |
| 47 // // Checks EV certificates against the EV policy. If the |
| 48 // // certificate fails, it will be downgraded to DV, in which |
| 49 // // case, the DV policy will apply. |
| 50 // bool is_valid_cert_policy = DoesConformToCertPolicy(...); |
| 51 // bool is_valid_ev_policy = is_ev && DoesConformToEVPolicy(...); |
| 52 // if (!is_valid_ev_policy) |
| 53 // is_ev = false; |
| 54 // is_valid_ct = is_valid_ev_policy || is_valid_cert_policy; |
| 55 // |
| 56 // NOT recommended: |
| 57 // // Checks all certificates against the basic policy, and only |
| 58 // // if they meet the baseline policy, check EV. |
| 59 // bool conforms_to_cert_policy = DoesConformToCertPolicy(...); |
| 60 // if (conforms_to_cert_policy && is_ev) { |
| 61 // conforms_to_cert_policy = DoesConformToEVPolicy(...); |
| 62 // } |
| 63 // |
| 64 // The reason the second form is NOT recommended is that the EV and Cert |
| 65 // policies may be completely independent: a certificate might fail the |
| 66 // cert policy but pass the EV policy (because, for example, the EV |
| 67 // policy supports whitelisting certificates). Or, conversely, the EV |
| 68 // policy might have stricter SCT requirements, so that a certificate |
| 69 // passes the certificate policy but fails the EV policy. For this |
| 70 // reason, callers are encouraged to check the policy specific to the |
| 71 // certificate type being validated, and only call other methods if they |
| 72 // are changing the type of certificate because it failed one or more |
29 // policies. | 73 // policies. |
30 class NET_EXPORT CTPolicyEnforcer { | 74 class NET_EXPORT CTPolicyEnforcer { |
31 public: | 75 public: |
32 CTPolicyEnforcer() {} | 76 CTPolicyEnforcer() {} |
33 virtual ~CTPolicyEnforcer() {} | 77 virtual ~CTPolicyEnforcer() {} |
34 | 78 |
| 79 // Returns the CT certificate policy compliance status for a given |
| 80 // certificate and collection of SCTs. |
| 81 // |cert| is the certificate for which to check compliance, and |
| 82 // ||verified_scts| contains any/all SCTs associated with |cert| that |
| 83 // |have been verified (well-formed, issued by known logs, and |
| 84 // |applying to |cert|). |
| 85 virtual ct::CertPolicyCompliance DoesConformToCertPolicy( |
| 86 X509Certificate* cert, |
| 87 const SCTList& verified_scts, |
| 88 const BoundNetLog& net_log); |
| 89 |
35 // Returns the CT/EV policy compliance status for a given certificate | 90 // Returns the CT/EV policy compliance status for a given certificate |
36 // and collection of SCTs. | 91 // and collection of SCTs. |
37 // |cert| is the certificate for which to check compliance, and | 92 // |cert| is the certificate for which to check compliance, and |
38 // |verified_scts| contains any/all SCTs associated with |cert| that | 93 // ||verified_scts| contains any/all SCTs associated with |cert| that |
39 // have been verified (well-formed, issued by known logs, and applying to | 94 // |have been verified (well-formed, issued by known logs, and |
40 // |cert|). | 95 // |applying to |cert|). |
41 virtual ct::EVPolicyCompliance DoesConformToCTEVPolicy( | 96 virtual ct::EVPolicyCompliance DoesConformToCTEVPolicy( |
42 X509Certificate* cert, | 97 X509Certificate* cert, |
43 const ct::EVCertsWhitelist* ev_whitelist, | 98 const ct::EVCertsWhitelist* ev_whitelist, |
44 const SCTList& verified_scts, | 99 const SCTList& verified_scts, |
45 const BoundNetLog& net_log); | 100 const BoundNetLog& net_log); |
46 }; | 101 }; |
47 | 102 |
48 } // namespace net | 103 } // namespace net |
49 | 104 |
50 #endif // NET_CERT_CT_POLICY_ENFORCER_H | 105 #endif // NET_CERT_CT_POLICY_ENFORCER_H |
OLD | NEW |