Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(378)

Issues Search
    My Issues | Starred     Open | Closed | All

Unified Diff: net/cert/ct_policy_enforcer.h

Issue 1652603002: Add information to SSLInfo about CT EV policy compliance (Closed) Base URL: https://chromium.googlesource.com/chromium/src.git@master
Patch Set: SSLClientSOcket nss fix Created 4 years, 10 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View side-by-side diff with in-line comments
Download patch
« no previous file with comments | « no previous file | net/cert/ct_policy_enforcer.cc » ('j') | net/cert/ct_policy_enforcer_unittest.cc » ('J')
Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
Index: net/cert/ct_policy_enforcer.h
diff --git a/net/cert/ct_policy_enforcer.h b/net/cert/ct_policy_enforcer.h
index 8c29da5ecb3a9891ef2be90a55ae873ab61c91d4..4f76f5c2c984239ee7c5ba794e32ccd841bfa214 100644
--- a/net/cert/ct_policy_enforcer.h
+++ b/net/cert/ct_policy_enforcer.h
@@ -7,36 +7,62 @@
#include <stddef.h>
#include "net/base/net_export.h"
+#include "net/cert/signed_certificate_timestamp.h"
#include "net/log/net_log.h"
namespace net {
namespace ct {
-struct CTVerifyResult;
class EVCertsWhitelist;
} // namespace ct
class X509Certificate;
+using SCTList = std::vector<scoped_refptr<ct::SignedCertificateTimestamp>>;
+
// Class for checking that a given certificate conforms to security-related
// policies.
class NET_EXPORT CTPolicyEnforcer {
public:
+ // Information about the connection's compliance with the EV
+ // certificate policy.
+ enum EVPolicyCompliance {
+ // The certificate was not EV, so the EV policy doesn't apply.
+ EV_POLICY_DOES_NOT_APPLY = 0,
+ // The connection complied with the EV certificate policy by being
+ // included on the EV whitelist.
+ EV_POLICY_COMPLIES_VIA_WHITELIST,
+ // The connection complied with the EV certificate policy by
+ // including SCTs that satisfy the policy.
+ EV_POLICY_COMPLIES_VIA_SCTS,
+ // The connection did not have enough SCTs to retain its EV
+ // status.
+ EV_POLICY_NOT_ENOUGH_SCTS,
+ // The connection did not have diverse enough SCTs to retain its
+ // EV status.
+ EV_POLICY_NOT_DIVERSE_SCTS,
+ // The connection cannot be considered compliant because the build
+ // isn't timely and therefore log information might be out of date
+ // (for example a log might no longer be considered trustworthy).
+ EV_POLICY_BUILD_NOT_TIMELY,
+ };
+
CTPolicyEnforcer() {}
virtual ~CTPolicyEnforcer() {}
- // Returns true if the collection of SCTs for the given certificate
- // conforms with the CT/EV policy. Conformance details are logged to
- // |net_log|.
+ // Returns an enum indicating if the collection of SCTs for the given
+ // certificate conforms with the CT/EV policy. Conformance details are logged
+ // to |net_log|.
// |cert| is the certificate for which the SCTs apply.
- // |ct_result| must contain the result of verifying any SCTs associated with
- // |cert| prior to invoking this method.
- virtual bool DoesConformToCTEVPolicy(X509Certificate* cert,
- const ct::EVCertsWhitelist* ev_whitelist,
- const ct::CTVerifyResult& ct_result,
- const BoundNetLog& net_log);
+ // |verified_scts| contains any SCTs associated with |cert| that were
+ // verified prior to invoking this method and found to be valid.
+ virtual EVPolicyCompliance DoesConformToCTEVPolicy(
+ X509Certificate* cert,
+ const ct::EVCertsWhitelist* ev_whitelist,
+ const SCTList& verified_scts,
+ const BoundNetLog& net_log);
};
} // namespace net
« no previous file with comments | « no previous file | net/cert/ct_policy_enforcer.cc » ('j') | net/cert/ct_policy_enforcer_unittest.cc » ('J')

Powered by Google App Engine
This is Rietveld 408576698