Index: net/cert/ct_policy_enforcer.h |
diff --git a/net/cert/ct_policy_enforcer.h b/net/cert/ct_policy_enforcer.h |
index 8c29da5ecb3a9891ef2be90a55ae873ab61c91d4..731926cc87b735b465c069305e11f89f726806a9 100644 |
--- a/net/cert/ct_policy_enforcer.h |
+++ b/net/cert/ct_policy_enforcer.h |
@@ -7,13 +7,13 @@ |
#include <stddef.h> |
#include "net/base/net_export.h" |
+#include "net/cert/signed_certificate_timestamp.h" |
#include "net/log/net_log.h" |
namespace net { |
namespace ct { |
-struct CTVerifyResult; |
class EVCertsWhitelist; |
} // namespace ct |
@@ -24,19 +24,44 @@ class X509Certificate; |
// policies. |
class NET_EXPORT CTPolicyEnforcer { |
public: |
+ // Information about the connection's compliance with the EV |
+ // certificate policy. |
+ enum EVPolicyCompliance { |
+ // The certificate was not EV, so the EV policy doesn't apply. |
+ EV_POLICY_DOES_NOT_APPLY = 0, |
+ // The connection complied with the EV certificate policy by being |
+ // included on the EV whitelist. |
+ EV_POLICY_COMPLIES_VIA_WHITELIST, |
+ // The connection complied with the EV certificate policy by |
+ // including SCTs that satisfy the policy. |
+ EV_POLICY_COMPLIES_VIA_SCTS, |
+ // The connection did not have enough SCTs to retain its EV |
+ // status. |
+ EV_POLICY_NOT_ENOUGH_SCTS, |
+ // The connection did not have diverse enough SCTs to retain its |
+ // EV status. |
+ EV_POLICY_NOT_DIVERSE_SCTS, |
+ // The connection cannot be considered compliant because the build |
+ // isn't timely and therefore log information might be out of date |
+ // (for example a log might no longer be considered trustworthy). |
+ EV_POLICY_BUILD_NOT_TIMELY, |
+ }; |
Ryan Sleevi
2016/02/05 02:09:25
The problem I see with this approach is it breaks
haavardm
2016/02/08 12:49:15
For now, Opera will simply inherit the Google poli
|
+ |
CTPolicyEnforcer() {} |
virtual ~CTPolicyEnforcer() {} |
- // Returns true if the collection of SCTs for the given certificate |
- // conforms with the CT/EV policy. Conformance details are logged to |
- // |net_log|. |
+ // Returns an enum indicating if the collection of SCTs for the given |
+ // certificate conforms with the CT/EV policy. Conformance details are logged |
+ // to |net_log|. |
// |cert| is the certificate for which the SCTs apply. |
- // |ct_result| must contain the result of verifying any SCTs associated with |
- // |cert| prior to invoking this method. |
- virtual bool DoesConformToCTEVPolicy(X509Certificate* cert, |
- const ct::EVCertsWhitelist* ev_whitelist, |
- const ct::CTVerifyResult& ct_result, |
- const BoundNetLog& net_log); |
+ // |verified_scts| contains any SCTs associated with |cert| that were |
+ // verified prior to invoking this method and found to be valid. |
+ virtual EVPolicyCompliance DoesConformToCTEVPolicy( |
+ X509Certificate* cert, |
+ const ct::EVCertsWhitelist* ev_whitelist, |
+ const std::vector<scoped_refptr<ct::SignedCertificateTimestamp>>& |
+ verified_scts, |
estark
2016/01/30 17:03:29
I changed this method to take a list of SCTs inste
Ryan Sleevi
2016/02/05 02:09:25
We should probably simplify this with a using
estark
2016/02/08 08:36:26
Did you mean `using SCTList = std::vector...`? If
|
+ const BoundNetLog& net_log); |
}; |
} // namespace net |