net/cert/expect_staple_report.h - Issue 2040513003: Implement Expect-Staple

Keyboard Shortcuts

	File
u :	up to issue
j / k :	jump to file after / before current file
J / K :	jump to next file with a comment after / before current file
	Side-by-side diff
i :	toggle intra-line diffs
e :	expand all comments
c :	collapse all comments
s :	toggle showing all comments
n / p :	next / previous diff chunk or comment
N / P :	next / previous comment
<Up> / <Down> :	next / previous line

	Issue
u :	up to list of issues
j / k :	jump to patch after / before current patch
o / <Enter> :	open current patch in side-by-side view
i :	open current patch in unified diff view

	Issue List
j / k :	jump to issue after / before current issue
o / <Enter> :	open current issue

Unified Diff: net/cert/expect_staple_report.h

Issue 2040513003: Implement Expect-Staple (Closed) Base URL: https://chromium.googlesource.com/chromium/src.git@master

Patch Set: Address comments from estark@ Created 4 years, 6 months ago

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Jump to:

View side-by-side diff with in-line comments

Download patch

Index: net/cert/expect_staple_report.h

diff --git a/net/cert/expect_staple_report.h b/net/cert/expect_staple_report.h

new file mode 100644

index 0000000000000000000000000000000000000000..45da48fd059f056db329445d854180595f8631f3

--- /dev/null

+++ b/net/cert/expect_staple_report.h

@@ -0,0 +1,73 @@

+// Use of this source code is governed by a BSD-style license that can be

+// found in the LICENSE file.

+#ifndef NET_CERT_OCSP_STAPLE_H

+#define NET_CERT_OCSP_STAPLE_H

+#include <memory>

+#include "base/macros.h"

+#include "base/time/time.h"

+#include "net/base/net_export.h"

+#include "net/cert/internal/parse_ocsp.h"

+#include "net/cert/x509_certificate.h"

+namespace net {

+// An ExpectStapleReport is used to determine if a stapled OCSP response is

+// valid for a given certificate, and contains all the information needed to

+// construct a report payload for sites opting into Expect-Staple.

+class NET_EXPORT ExpectStapleReport {

+ public:

+ ExpectStapleReport();

+ ~ExpectStapleReport();

+ // Stores the validity of a single stapled response.

+ struct SingleResult {

+ bool is_date_valid = false;

+ bool is_correct_certificate = false;

+ OCSPCertStatus::Status status = OCSPCertStatus::Status::UNKNOWN;

+ };

+ // Represents where during the staple verification an error occured.

+ enum class StapleError {

+ OK = 0,

+ PARSE_RESPONSE = 1,

+ BAD_RESPONSE = 2,

+ PARSE_RESPONSE_DATA = 3,

+ PARSE_SINGLE_RESPONSE = 4,

+ NO_MATCHING_RESPONSE = 5

+ };

+ // Creates an ExpectStapleReport from an unparsed OCSP response.

+ // This compares the serial number of the certificate, and verifies that

+ // |verify_time| is within thisUpdate and nextUpdate, and that thisUpdate is

+ // at least as recent as |verify_time - max_age|.

+ //

+ // TODO(dadrian): Check issuer and signatures. https://crbug.com/620005

+ static std::unique_ptr<ExpectStapleReport> FromRawOCSPResponse(

+ const std::string& raw_response,

+ const base::Time& verify_time,

+ const base::TimeDelta& max_age,

+ const X509Certificate& server_certificate);

+ StapleError staple_error() const { return staple_error_; }

+ const std::vector<SingleResult>& stapled_responses() const {

+ return stapled_responses_;

+ }

+ const base::Time& verify_time() const { return verify_time_; }

+ private:

+ base::Time verify_time_;

+ StapleError staple_error_;

+ std::vector<SingleResult> stapled_responses_;

+ DISALLOW_COPY_AND_ASSIGN(ExpectStapleReport);

+};

+} // namespace net

+#endif /* NET_CERT_OCSP_STAPLE_H */

« no previous file with comments | « no previous file | net/cert/expect_staple_report.cc » ('j') | net/http/transport_security_state.cc » ('J')