Index: net/cert/cert_policy_enforcer.h |
diff --git a/net/cert/cert_policy_enforcer.h b/net/cert/cert_policy_enforcer.h |
new file mode 100644 |
index 0000000000000000000000000000000000000000..04bdb4891bc39f610c214267c186f925d28d5bcd |
--- /dev/null |
+++ b/net/cert/cert_policy_enforcer.h |
@@ -0,0 +1,50 @@ |
+// Copyright 2014 The Chromium Authors. All rights reserved. |
+// Use of this source code is governed by a BSD-style license that can be |
+// found in the LICENSE file. |
+#ifndef NET_CERT_CERT_POLICY_ENFORCER_H |
+#define NET_CERT_CERT_POLICY_ENFORCER_H |
+ |
+#include <stddef.h> |
+ |
+#include "net/base/net_export.h" |
+ |
+namespace net { |
+ |
+namespace ct { |
+struct CTVerifyResult; |
+class EVCertsWhitelist; |
+} // namespace ct |
Ryan Sleevi
2014/11/06 00:16:43
newline before 14 & after 15
Eran Messeri
2014/11/20 11:49:56
Done.
|
+ |
+class X509Certificate; |
+ |
+// Class for checking that a given certificate conforms to security-related |
+// policies. |
+class NET_EXPORT CertPolicyEnforcer { |
+ public: |
+ // Set the parameters for this policy enforcer: |
+ // |num_ct_logs| is the number of Certificate Transparency log currently |
+ // known to Chrome. |
+ // |require_ct_for_ev| indicates whether Certificate Transparency presence |
+ // is required for EV certificates. |
+ CertPolicyEnforcer(size_t num_ct_logs, bool require_ct_for_ev); |
Ryan Sleevi
2014/11/06 00:16:43
You can drop the bool now, explicit CertPolicyEnfo
Eran Messeri
2014/11/20 11:49:56
Will do when we use Finch.
Eran Messeri
2014/11/20 11:49:56
Will do, when I introduce Finch.
|
+ virtual ~CertPolicyEnforcer(); |
+ |
+ // Returns true if the collection of SCTs for the given certificate |
+ // conforms with the CT/EV policy and CT presence is required for EV |
+ // certificates (as indicated in the c'tor). |
+ // |cert| is the certificate for which the SCTs apply (this is needed |
+ // to determine the certificate's lifetime). |
+ // |ct_result| is the CTVerifyResult filled in by the Verify call. |
+ bool DoesConformToCTEVPolicy(X509Certificate* cert, |
+ const ct::EVCertsWhitelist* ev_whitelist, |
+ // TODO(eranm): Add netlog |
Ryan Sleevi
2014/11/06 00:16:43
Move the TODO to line 37, add a bug #
Eran Messeri
2014/11/20 11:49:56
Removed; turns out I don't need the NetLog here.
|
+ const ct::CTVerifyResult& ct_result); |
+ |
+ private: |
+ size_t num_ct_logs_; |
+ bool enforce_ct_requirement_; |
+}; |
+ |
+} // namespace net |
+ |
+#endif // NET_CERT_CERT_POLICY_ENFORCER_H |