OLD | NEW |
1 // Copyright 2014 The Chromium Authors. All rights reserved. | 1 // Copyright 2014 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 #ifndef NET_CERT_CT_POLICY_ENFORCER_H_ | 5 #ifndef NET_CERT_CT_POLICY_ENFORCER_H_ |
6 #define NET_CERT_CT_POLICY_ENFORCER_H_ | 6 #define NET_CERT_CT_POLICY_ENFORCER_H_ |
7 | 7 |
8 #include <stddef.h> | 8 #include <stddef.h> |
9 #include <vector> | 9 #include <vector> |
10 | 10 |
11 #include "net/base/net_export.h" | 11 #include "net/base/net_export.h" |
12 #include "net/cert/signed_certificate_timestamp.h" | 12 #include "net/cert/signed_certificate_timestamp.h" |
13 | 13 |
14 namespace net { | 14 namespace net { |
15 | 15 |
16 class NetLogWithSource; | 16 class NetLogWithSource; |
17 | 17 |
18 namespace ct { | 18 namespace ct { |
19 | 19 |
20 class EVCertsWhitelist; | |
21 enum class CertPolicyCompliance; | 20 enum class CertPolicyCompliance; |
22 enum class EVPolicyCompliance; | |
23 | 21 |
24 } // namespace ct | 22 } // namespace ct |
25 | 23 |
26 class X509Certificate; | 24 class X509Certificate; |
27 | 25 |
28 using SCTList = std::vector<scoped_refptr<ct::SignedCertificateTimestamp>>; | 26 using SCTList = std::vector<scoped_refptr<ct::SignedCertificateTimestamp>>; |
29 | 27 |
30 // Class for checking that a given certificate conforms to | 28 // Class for checking that a given certificate conforms to |
31 // Certificate Transparency-related policies. | 29 // Certificate Transparency-related policies. |
32 // | |
33 // Each method can be called independently, to determine whether | |
34 // or not it complies with a given policy. | |
35 // | |
36 // For example, to determine if a certificate complies with the | |
37 // EV certificate policy, callers need only to call | |
38 // DoesConformToEVPolicy() - it is not necessary to first check | |
39 // whether or not DoesConformToCertPolicy(). | |
40 // | |
41 // However, consider the case where a given certificate is desired | |
42 // to be EV, but, if it does not conform to the EV policy, will | |
43 // be downgraded to DV. In this case, it's necessary to check if | |
44 // it complies with either policy. This can be done one of two | |
45 // ways, reflected in pseudo-code below: | |
46 // | |
47 // Recommended: | |
48 // // Checks EV certificates against the EV policy. If the | |
49 // // certificate fails, it will be downgraded to DV, in which | |
50 // // case, the DV policy will apply. | |
51 // bool is_valid_cert_policy = DoesConformToCertPolicy(...); | |
52 // bool is_valid_ev_policy = is_ev && DoesConformToEVPolicy(...); | |
53 // if (!is_valid_ev_policy) | |
54 // is_ev = false; | |
55 // is_valid_ct = is_valid_ev_policy || is_valid_cert_policy; | |
56 // | |
57 // NOT recommended: | |
58 // // Checks all certificates against the basic policy, and only | |
59 // // if they meet the baseline policy, check EV. | |
60 // bool conforms_to_cert_policy = DoesConformToCertPolicy(...); | |
61 // if (conforms_to_cert_policy && is_ev) { | |
62 // conforms_to_cert_policy = DoesConformToEVPolicy(...); | |
63 // } | |
64 // | |
65 // The reason the second form is NOT recommended is that the EV and Cert | |
66 // policies may be completely independent: a certificate might fail the | |
67 // cert policy but pass the EV policy (because, for example, the EV | |
68 // policy supports whitelisting certificates). Or, conversely, the EV | |
69 // policy might have stricter SCT requirements, so that a certificate | |
70 // passes the certificate policy but fails the EV policy. For this | |
71 // reason, callers are encouraged to check the policy specific to the | |
72 // certificate type being validated, and only call other methods if they | |
73 // are changing the type of certificate because it failed one or more | |
74 // policies. | |
75 class NET_EXPORT CTPolicyEnforcer { | 30 class NET_EXPORT CTPolicyEnforcer { |
76 public: | 31 public: |
77 CTPolicyEnforcer() {} | 32 CTPolicyEnforcer() {} |
78 virtual ~CTPolicyEnforcer() {} | 33 virtual ~CTPolicyEnforcer() {} |
79 | 34 |
80 // Returns the CT certificate policy compliance status for a given | 35 // Returns the CT certificate policy compliance status for a given |
81 // certificate and collection of SCTs. | 36 // certificate and collection of SCTs. |
82 // |cert| is the certificate for which to check compliance, and | 37 // |cert| is the certificate for which to check compliance, and |
83 // ||verified_scts| contains any/all SCTs associated with |cert| that | 38 // ||verified_scts| contains any/all SCTs associated with |cert| that |
84 // |have been verified (well-formed, issued by known logs, and | 39 // |have been verified (well-formed, issued by known logs, and |
85 // |applying to |cert|). | 40 // |applying to |cert|). |
86 virtual ct::CertPolicyCompliance DoesConformToCertPolicy( | 41 virtual ct::CertPolicyCompliance DoesConformToCertPolicy( |
87 X509Certificate* cert, | 42 X509Certificate* cert, |
88 const SCTList& verified_scts, | 43 const SCTList& verified_scts, |
89 const NetLogWithSource& net_log); | 44 const NetLogWithSource& net_log); |
90 | |
91 // Returns the CT/EV policy compliance status for a given certificate | |
92 // and collection of SCTs. | |
93 // |cert| is the certificate for which to check compliance, and | |
94 // ||verified_scts| contains any/all SCTs associated with |cert| that | |
95 // |have been verified (well-formed, issued by known logs, and | |
96 // |applying to |cert|). | |
97 // Note: |ev_whitelist| is an optional whitelist of certificates considered | |
98 // to be conforming. | |
99 virtual ct::EVPolicyCompliance DoesConformToCTEVPolicy( | |
100 X509Certificate* cert, | |
101 const ct::EVCertsWhitelist* ev_whitelist, | |
102 const SCTList& verified_scts, | |
103 const NetLogWithSource& net_log); | |
104 }; | 45 }; |
105 | 46 |
106 } // namespace net | 47 } // namespace net |
107 | 48 |
108 #endif // NET_CERT_CT_POLICY_ENFORCER_H_ | 49 #endif // NET_CERT_CT_POLICY_ENFORCER_H_ |
OLD | NEW |