Index: net/cert/expect_staple_report.h |
diff --git a/net/cert/expect_staple_report.h b/net/cert/expect_staple_report.h |
new file mode 100644 |
index 0000000000000000000000000000000000000000..45da48fd059f056db329445d854180595f8631f3 |
--- /dev/null |
+++ b/net/cert/expect_staple_report.h |
@@ -0,0 +1,73 @@ |
+// Copyright 2016 The Chromium Authors. All rights reserved. |
+// Use of this source code is governed by a BSD-style license that can be |
+// found in the LICENSE file. |
+ |
+#ifndef NET_CERT_OCSP_STAPLE_H |
estark
2016/06/15 23:51:46
NET_CERT_EXPECT_STAPLE_REPORT_H(here and below)
dadrian
2016/06/16 03:27:23
Done. Missed that when I renamed the file. :(
|
+#define NET_CERT_OCSP_STAPLE_H |
+ |
+#include <memory> |
+ |
+#include "base/macros.h" |
+#include "base/time/time.h" |
+#include "net/base/net_export.h" |
+#include "net/cert/internal/parse_ocsp.h" |
+#include "net/cert/x509_certificate.h" |
+ |
+namespace net { |
+ |
+// An ExpectStapleReport is used to determine if a stapled OCSP response is |
+// valid for a given certificate, and contains all the information needed to |
+// construct a report payload for sites opting into Expect-Staple. |
+class NET_EXPORT ExpectStapleReport { |
+ public: |
+ ExpectStapleReport(); |
+ ~ExpectStapleReport(); |
+ |
+ // Stores the validity of a single stapled response. |
+ struct SingleResult { |
+ bool is_date_valid = false; |
+ bool is_correct_certificate = false; |
+ OCSPCertStatus::Status status = OCSPCertStatus::Status::UNKNOWN; |
+ }; |
+ |
+ // Represents where during the staple verification an error occured. |
estark
2016/06/15 23:51:46
nit: occurred (sorry)
dadrian
2016/06/16 03:27:23
Done. I swear, I have two degrees and know how to
|
+ enum class StapleError { |
+ OK = 0, |
estark
2016/06/15 23:51:46
nit: no explicit assignments necessary
dadrian
2016/06/16 03:27:23
Done.
|
+ PARSE_RESPONSE = 1, |
+ BAD_RESPONSE = 2, |
+ PARSE_RESPONSE_DATA = 3, |
+ PARSE_SINGLE_RESPONSE = 4, |
+ NO_MATCHING_RESPONSE = 5 |
estark
2016/06/15 23:51:46
nit: trailing comma
dadrian
2016/06/16 03:27:23
Done.
|
+ }; |
+ |
+ // Creates an ExpectStapleReport from an unparsed OCSP response. |
+ // This compares the serial number of the certificate, and verifies that |
+ // |verify_time| is within thisUpdate and nextUpdate, and that thisUpdate is |
+ // at least as recent as |verify_time - max_age|. |
+ // |
+ // TODO(dadrian): Check issuer and signatures. https://crbug.com/620005 |
+ static std::unique_ptr<ExpectStapleReport> FromRawOCSPResponse( |
+ const std::string& raw_response, |
+ const base::Time& verify_time, |
+ const base::TimeDelta& max_age, |
+ const X509Certificate& server_certificate); |
+ |
+ StapleError staple_error() const { return staple_error_; } |
+ |
+ const std::vector<SingleResult>& stapled_responses() const { |
+ return stapled_responses_; |
+ } |
+ |
+ const base::Time& verify_time() const { return verify_time_; } |
+ |
+ private: |
+ base::Time verify_time_; |
+ StapleError staple_error_; |
+ std::vector<SingleResult> stapled_responses_; |
+ |
+ DISALLOW_COPY_AND_ASSIGN(ExpectStapleReport); |
+}; |
+ |
+} // namespace net |
+ |
+#endif /* NET_CERT_OCSP_STAPLE_H */ |