Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(191)

Issues Search
    My Issues | Starred     Open | Closed | All

Unified Diff: net/cert/ct_policy_enforcer.h

Issue 1578993003: Add Expect CT policy that gets checked on all certs (Closed) Base URL: https://chromium.googlesource.com/chromium/src.git@master
Patch Set: build fix (netlog SetString instead of SetBoolean) Created 4 years, 10 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View side-by-side diff with in-line comments
Download patch
« no previous file with comments | « no previous file | net/cert/ct_policy_enforcer.cc » ('j') | net/cert/ct_policy_enforcer.cc » ('J')
Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
Index: net/cert/ct_policy_enforcer.h
diff --git a/net/cert/ct_policy_enforcer.h b/net/cert/ct_policy_enforcer.h
index a2db8f0872e449a8d3b2c772126a5b00c5d6be8e..8ed1f8232b60f75f1dfe978e71cea482336769f7 100644
--- a/net/cert/ct_policy_enforcer.h
+++ b/net/cert/ct_policy_enforcer.h
@@ -17,6 +17,7 @@ namespace net {
namespace ct {
class EVCertsWhitelist;
+enum class CertPolicyCompliance;
enum class EVPolicyCompliance;
} // namespace ct
@@ -25,19 +26,74 @@ class X509Certificate;
using SCTList = std::vector<scoped_refptr<ct::SignedCertificateTimestamp>>;
-// Class for checking that a given certificate conforms to security-related
+// Class for checking that a given certificate conforms to
+// Certificate Transparency-related policies.
+//
+// Each method can be called independently, to determine whether
+// or not it complies with a given policy.
+//
+// For example, to determine if a certificate complies with the
+// EV certificate policy, callers need only to call
+// DoesConformToEVPolicy() - it is not necessary to first check
+// whether or not DoesConformToCertPolicy().
+//
+// However, consider the case where a given certificate is desired
+// to be EV, but, if it does not conform to the EV policy, will
+// be downgraded to DV. In this case, it's necessary to check if
+// it complies with either policy. This can be done one of two
+// ways, reflected in pseudo-code below:
+//
+// Recommended:
+// // Checks EV certificates against the EV policy. If the
+// // certificate fails, it will be downgraded to DV, in which
+// // case, the DV policy will apply.
+// bool is_valid_cert_policy = DoesConformToCertPolicy(...);
+// bool is_valid_ev_policy = is_ev && DoesConformToEVPolicy(...);
+// if (!is_valid_ev_policy)
+// is_ev = false;
+// is_valid_ct = is_valid_ev_policy || is_valid_cert_policy;
+//
+// NOT recommended:
+// // Checks all certificates against the basic policy, and only
+// // if they meet the baseline policy, check EV.
+// bool conforms_to_cert_policy = DoesConformToCertPolicy(...);
+// if (conforms_to_cert_policy && is_ev) {
+// conforms_to_cert_policy = DoesConformToEVPolicy(...);
+// }
+//
+// The reason the second form is NOT recommended is that the EV and Cert
+// policies may be completely independent: a certificate might fail the
+// cert policy but pass the EV policy (because, for example, the EV
+// policy supports whitelisting certificates). Or, conversely, the EV
+// policy might have stricter SCT requirements, so that a certificate
+// passes the certificate policy but fails the EV policy. For this
+// reason, callers are encouraged to check the policy specific to the
+// certificate type being validated, and only call other methods if they
+// are changing the type of certificate because it failed one or more
// policies.
class NET_EXPORT CTPolicyEnforcer {
public:
CTPolicyEnforcer() {}
virtual ~CTPolicyEnforcer() {}
+ // Returns the CT certificate policy compliance status for a given
+ // certificate and collection of SCTs.
+ // |cert| is the certificate for which to check compliance, and
+ // ||verified_scts| contains any/all SCTs associated with |cert| that
+ // |have been verified (well-formed, issued by known logs, and
+ // |applying to |cert|).
+ virtual ct::CertPolicyCompliance DoesConformToCertPolicy(
+ X509Certificate* cert,
+ const std::vector<scoped_refptr<ct::SignedCertificateTimestamp>>&
+ verified_scts,
Ryan Sleevi 2016/02/22 23:31:22 Why isn't this "const SCTList& verified_scts" ?
estark 2016/02/23 06:31:33 Done.
+ const BoundNetLog& net_log);
+
// Returns the CT/EV policy compliance status for a given certificate
// and collection of SCTs.
// |cert| is the certificate for which to check compliance, and
- // |verified_scts| contains any/all SCTs associated with |cert| that
- // have been verified (well-formed, issued by known logs, and applying to
- // |cert|).
+ // ||verified_scts| contains any/all SCTs associated with |cert| that
+ // |have been verified (well-formed, issued by known logs, and
+ // |applying to |cert|).
virtual ct::EVPolicyCompliance DoesConformToCTEVPolicy(
X509Certificate* cert,
const ct::EVCertsWhitelist* ev_whitelist,
« no previous file with comments | « no previous file | net/cert/ct_policy_enforcer.cc » ('j') | net/cert/ct_policy_enforcer.cc » ('J')

Powered by Google App Engine
This is Rietveld 408576698