net/cert/cert_status_flags.h - Issue 76443006: Certificate Transparency: Threading the CT verifier into the SSL client socket.

Side by Side Diff: net/cert/cert_status_flags.h

Issue 76443006: Certificate Transparency: Threading the CT verifier into the SSL client socket. (Closed) Base URL: svn://svn.chromium.org/chrome/trunk/src

Patch Set: Fixing compilation on non-NSS platforms Created 7 years ago

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Jump to:

View unified diff | Download patch | Annotate | Revision Log

OLD	NEW
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.	1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.

2 // Use of this source code is governed by a BSD-style license that can be	2 // Use of this source code is governed by a BSD-style license that can be

3 // found in the LICENSE file.	3 // found in the LICENSE file.

4	4

5 #ifndef NET_CERT_CERT_STATUS_FLAGS_H_	5 #ifndef NET_CERT_CERT_STATUS_FLAGS_H_

6 #define NET_CERT_CERT_STATUS_FLAGS_H_	6 #define NET_CERT_CERT_STATUS_FLAGS_H_

7	7

8 #include "base/basictypes.h"	8 #include "base/basictypes.h"

9 #include "net/base/net_export.h"	9 #include "net/base/net_export.h"

10	10

(...skipping 21 matching lines...) Expand all Loading...
32 // 1 << 9 was used for CERT_STATUS_NOT_IN_DNS	32 // 1 << 9 was used for CERT_STATUS_NOT_IN_DNS

33 static const CertStatus CERT_STATUS_NON_UNIQUE_NAME = 1 << 10;	33 static const CertStatus CERT_STATUS_NON_UNIQUE_NAME = 1 << 10;

34 static const CertStatus CERT_STATUS_WEAK_KEY = 1 << 11;	34 static const CertStatus CERT_STATUS_WEAK_KEY = 1 << 11;

35 static const CertStatus CERT_STATUS_WEAK_DH_KEY = 1 << 12;	35 static const CertStatus CERT_STATUS_WEAK_DH_KEY = 1 << 12;

36 static const CertStatus CERT_STATUS_PINNED_KEY_MISSING = 1 << 13;	36 static const CertStatus CERT_STATUS_PINNED_KEY_MISSING = 1 << 13;

37	37

38 // Bits 16 to 31 are for non-error statuses.	38 // Bits 16 to 31 are for non-error statuses.

39 static const CertStatus CERT_STATUS_IS_EV = 1 << 16;	39 static const CertStatus CERT_STATUS_IS_EV = 1 << 16;

40 static const CertStatus CERT_STATUS_REV_CHECKING_ENABLED = 1 << 17;	40 static const CertStatus CERT_STATUS_REV_CHECKING_ENABLED = 1 << 17;

41 // bit 18 was CERT_STATUS_IS_DNSSEC.	41 // bit 18 was CERT_STATUS_IS_DNSSEC.

	42 // Bits 19 and 20 are for Certificate Transparency.

	43 // The following states are represented:

	44 // bit 20 \| bit 19 \| state

	45 // 0 \| 0 \| No SCTs were present

	46 // 0 \| 1 \| SCTs from unknown logs were present
	wtc 2013/11/26 01:47:23 In this combination, are the SCTs verified? The na In this combination, are the SCTs verified? The name "HAS_GOOD_SCT" implies they are verified. But can we verify SCTs from unknown logs? Update: after reading the entire CL, I now understand these two bits don't have independent meanings. Instead, the two bits are used to encode four possible values (0, 1, 2, 3) as you tabulated here. This is a little confusing because a reader of this file expects every cert status bit can be tested independently. It may be better to imitate how this is done in net/ssl/ssl_connection_status_flags.h. For example, it uses three bits to encode the SSL/TLS protocol version. Eran M. (Google) 2013/11/26 14:45:53 Done - used the two most-significant bits to store Show quoted text On 2013/11/26 01:47:23, wtc wrote: > > In this combination, are the SCTs verified? The name "HAS_GOOD_SCT" implies they > are verified. But can we verify SCTs from unknown logs? > > Update: after reading the entire CL, I now understand these two bits don't have > independent meanings. Instead, the two bits are used to encode four possible > values (0, 1, 2, 3) as you tabulated here. > > This is a little confusing because a reader of this file expects every cert > status bit can be tested independently. It may be better to imitate how this is > done in net/ssl/ssl_connection_status_flags.h. For example, it uses three bits > to encode the SSL/TLS protocol version. Done - used the two most-significant bits to store CT state as integer.
	47 // 1 \| 0 \| SCTs from known logs present but cannot be unverified
	wtc 2013/11/26 01:47:23 1. Is "unverified" a typo? 2. Does this combinati 1. Is "unverified" a typo? 2. Does this combination imply an error? If so, this violates the comment on line 38 that these bits are for non-error statuses. Eran M. (Google) 2013/11/26 14:45:53 1. yes. 2. yes - but the CT state was now moved to Show quoted text On 2013/11/26 01:47:23, wtc wrote: > > 1. Is "unverified" a typo? > > 2. Does this combination imply an error? If so, this violates the comment on > line 38 that these bits are for non-error statuses. 1. yes. 2. yes - but the CT state was now moved to a state of its own, so the comment does not apply anymore.
	48 // 1 \| 1 \| SCTs from known logs present, verified

	49 // Bit 19 - indicates presence of SCTs. If set but bit 20 isn't, indicates

	50 // SCTs from unknown logs. If set and bit 20 is net, indicates presence

	51 // of validated SCTs.

	52 static const CertStatus CERT_STATUS_HAS_GOOD_SCT = 1 << 19;

	53 // Bit 20 - when set, indicates SCTs from known logs. When not set, indicates

	54 // SCTs from unknown logs or no SCTs, depending on bit 19.

	55 static const CertStatus CERT_STATUS_HAS_SCT_FROM_KNOWN_LOG = 1 << 20;

42	56

43 // Returns true if the specified cert status has an error set.	57 // Returns true if the specified cert status has an error set.

44 static inline bool IsCertStatusError(CertStatus status) {	58 static inline bool IsCertStatusError(CertStatus status) {

45 return (CERT_STATUS_ALL_ERRORS & status) != 0;	59 return (CERT_STATUS_ALL_ERRORS & status) != 0;

46 }	60 }

47	61

48 // IsCertStatusMinorError returns true iff \|cert_status\| indicates a condition	62 // IsCertStatusMinorError returns true iff \|cert_status\| indicates a condition

49 // that should typically be ignored by automated requests. (i.e. a revocation	63 // that should typically be ignored by automated requests. (i.e. a revocation

50 // check failure.)	64 // check failure.)

51 NET_EXPORT bool IsCertStatusMinorError(CertStatus cert_status);	65 NET_EXPORT bool IsCertStatusMinorError(CertStatus cert_status);

52	66

53 // Maps a network error code to the equivalent certificate status flag. If	67 // Maps a network error code to the equivalent certificate status flag. If

54 // the error code is not a certificate error, it is mapped to 0.	68 // the error code is not a certificate error, it is mapped to 0.

55 NET_EXPORT CertStatus MapNetErrorToCertStatus(int error);	69 NET_EXPORT CertStatus MapNetErrorToCertStatus(int error);

56	70

57 // Maps the most serious certificate error in the certificate status flags	71 // Maps the most serious certificate error in the certificate status flags

58 // to the equivalent network error code.	72 // to the equivalent network error code.

59 NET_EXPORT int MapCertStatusToNetError(CertStatus cert_status);	73 NET_EXPORT int MapCertStatusToNetError(CertStatus cert_status);

60	74

	75 // Indicates whether there were any SCTs.

	76 NET_EXPORT bool DoesCertHaveSignedCertificateTimestamps(

	77 CertStatus cert_status);

	78 // Indicates whether SCTs from known logs verified OK

	79 NET_EXPORT bool DoesCertHaveVerifiedSignedCertificateTimestamps(

	80 CertStatus cert_status);
	wtc 2013/11/26 01:47:23 Add a blank line after this line, and between the Add a blank line after this line, and between the two functions. Eran M. (Google) 2013/11/26 14:45:53 Removed these two functions, added a function to e Show quoted text On 2013/11/26 01:47:23, wtc wrote: > > Add a blank line after this line, and between the two functions. Removed these two functions, added a function to extract the CT state.
61 } // namespace net	81 } // namespace net

62	82

63 #endif // NET_CERT_CERT_STATUS_FLAGS_H_	83 #endif // NET_CERT_CERT_STATUS_FLAGS_H_

OLD	NEW

« net/base/net_error_list.h ('K') | « net/base/net_error_list.h ('k') | net/cert/cert_status_flags.cc » ('j') | net/cert/ct_known_logs_keys.h » ('J')