Index: net/cert/cert_policy_enforcer.h |
diff --git a/net/cert/cert_policy_enforcer.h b/net/cert/cert_policy_enforcer.h |
new file mode 100644 |
index 0000000000000000000000000000000000000000..082e68d8e273f74c547e8d8b410c9f91d95c67fa |
--- /dev/null |
+++ b/net/cert/cert_policy_enforcer.h |
@@ -0,0 +1,51 @@ |
+// Copyright 2014 The Chromium Authors. All rights reserved. |
+// Use of this source code is governed by a BSD-style license that can be |
+// found in the LICENSE file. |
+#ifndef NET_CERT_CERT_POLICY_ENFORCER_H |
+#define NET_CERT_CERT_POLICY_ENFORCER_H |
+ |
+#include <stddef.h> |
+ |
+#include "net/base/net_export.h" |
+ |
+namespace net { |
+ |
+namespace ct { |
+ |
+struct CTVerifyResult; |
+class EVCertsWhitelist; |
+ |
+} // namespace ct |
+ |
+class X509Certificate; |
+ |
+// Class for checking that a given certificate conforms to security-related |
+// policies. |
+class NET_EXPORT CertPolicyEnforcer { |
+ public: |
+ // Set the parameters for this policy enforcer: |
+ // |num_ct_logs| is the number of Certificate Transparency log currently |
+ // known to Chrome. |
+ // |require_ct_for_ev| indicates whether Certificate Transparency presence |
+ // is required for EV certificates. |
+ CertPolicyEnforcer(size_t num_ct_logs, bool require_ct_for_ev); |
+ virtual ~CertPolicyEnforcer(); |
+ |
+ // Returns true if the collection of SCTs for the given certificate |
+ // conforms with the CT/EV policy and CT presence is required for EV |
+ // certificates (as indicated in the c'tor). |
Ryan Sleevi
2014/11/28 15:27:44
I'd dropped everything from this comment beginning
Eran Messeri
2014/12/01 13:59:03
Done.
|
+ // |cert| is the certificate for which the SCTs apply (this is needed |
+ // to determine the certificate's lifetime). |
Ryan Sleevi
2014/11/28 15:27:44
Drop the ( ... ) comment
Eran Messeri
2014/12/01 13:59:03
Done.
|
+ // |ct_result| is the CTVerifyResult filled in by the Verify call. |
Ryan Sleevi
2014/11/28 15:27:44
This comment needs more fleshing out
// |ct_resul
Eran Messeri
2014/12/01 13:59:03
Done.
|
+ bool DoesConformToCTEVPolicy(X509Certificate* cert, |
+ const ct::EVCertsWhitelist* ev_whitelist, |
+ const ct::CTVerifyResult& ct_result); |
+ |
+ private: |
+ size_t num_ct_logs_; |
+ bool enforce_ct_requirement_; |
Ryan Sleevi
2014/11/28 15:27:44
NIT: name this consistently with your constructor
Eran Messeri
2014/12/01 13:59:03
Done.
|
+}; |
+ |
+} // namespace net |
+ |
+#endif // NET_CERT_CERT_POLICY_ENFORCER_H |