OLD | NEW |
1 // Copyright 2014 The Chromium Authors. All rights reserved. | 1 // Copyright 2014 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 |
4 #ifndef NET_CERT_CT_POLICY_ENFORCER_H | 5 #ifndef NET_CERT_CT_POLICY_ENFORCER_H |
5 #define NET_CERT_CT_POLICY_ENFORCER_H | 6 #define NET_CERT_CT_POLICY_ENFORCER_H |
6 | 7 |
7 #include <stddef.h> | 8 #include <stddef.h> |
| 9 #include <vector> |
8 | 10 |
9 #include "net/base/net_export.h" | 11 #include "net/base/net_export.h" |
| 12 #include "net/cert/signed_certificate_timestamp.h" |
10 #include "net/log/net_log.h" | 13 #include "net/log/net_log.h" |
11 | 14 |
12 namespace net { | 15 namespace net { |
13 | 16 |
14 namespace ct { | 17 namespace ct { |
15 | 18 |
16 struct CTVerifyResult; | |
17 class EVCertsWhitelist; | 19 class EVCertsWhitelist; |
| 20 enum class EVPolicyCompliance; |
18 | 21 |
19 } // namespace ct | 22 } // namespace ct |
20 | 23 |
21 class X509Certificate; | 24 class X509Certificate; |
22 | 25 |
| 26 using SCTList = std::vector<scoped_refptr<ct::SignedCertificateTimestamp>>; |
| 27 |
23 // Class for checking that a given certificate conforms to security-related | 28 // Class for checking that a given certificate conforms to security-related |
24 // policies. | 29 // policies. |
25 class NET_EXPORT CTPolicyEnforcer { | 30 class NET_EXPORT CTPolicyEnforcer { |
26 public: | 31 public: |
27 CTPolicyEnforcer() {} | 32 CTPolicyEnforcer() {} |
28 virtual ~CTPolicyEnforcer() {} | 33 virtual ~CTPolicyEnforcer() {} |
29 | 34 |
30 // Returns true if the collection of SCTs for the given certificate | 35 // Returns the CT/EV policy compliance status for a given certificate |
31 // conforms with the CT/EV policy. Conformance details are logged to | 36 // and collection of SCTs. |
32 // |net_log|. | 37 // |cert| is the certificate for which to check compliance, and |
33 // |cert| is the certificate for which the SCTs apply. | 38 // |verified_scts| contains any/all SCTs associated with |cert| that |
34 // |ct_result| must contain the result of verifying any SCTs associated with | 39 // have been verified (well-formed, issued by known logs, and applying to |
35 // |cert| prior to invoking this method. | 40 // |cert|). |
36 virtual bool DoesConformToCTEVPolicy(X509Certificate* cert, | 41 virtual ct::EVPolicyCompliance DoesConformToCTEVPolicy( |
37 const ct::EVCertsWhitelist* ev_whitelist, | 42 X509Certificate* cert, |
38 const ct::CTVerifyResult& ct_result, | 43 const ct::EVCertsWhitelist* ev_whitelist, |
39 const BoundNetLog& net_log); | 44 const SCTList& verified_scts, |
| 45 const BoundNetLog& net_log); |
40 }; | 46 }; |
41 | 47 |
42 } // namespace net | 48 } // namespace net |
43 | 49 |
44 #endif // NET_CERT_CT_POLICY_ENFORCER_H | 50 #endif // NET_CERT_CT_POLICY_ENFORCER_H |
OLD | NEW |