Chromium Code Reviews Chromium Code Reviews
Issue 782333002:
Certificate Transparency: Adding finch and NetLog logging for EV certs (Closed)
Base URL: https://chromium.googlesource.com/chromium/src.git@master| OLD | NEW |
|---|---|
| 1 // Copyright 2014 The Chromium Authors. All rights reserved. | 1 // Copyright 2014 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 #ifndef NET_CERT_CERT_POLICY_ENFORCER_H | 4 #ifndef NET_CERT_CERT_POLICY_ENFORCER_H |
| 5 #define NET_CERT_CERT_POLICY_ENFORCER_H | 5 #define NET_CERT_CERT_POLICY_ENFORCER_H |
| 6 | 6 |
| 7 #include <stddef.h> | 7 #include <stddef.h> |
| 8 | 8 |
| 9 #include "net/base/net_export.h" | 9 #include "net/base/net_export.h" |
| 10 #include "net/base/net_log.h" | |
| 10 | 11 |
| 11 namespace net { | 12 namespace net { |
| 12 | 13 |
| 13 namespace ct { | 14 namespace ct { |
| 14 | 15 |
| 15 struct CTVerifyResult; | 16 struct CTVerifyResult; |
| 16 class EVCertsWhitelist; | 17 class EVCertsWhitelist; |
| 17 | 18 |
| 18 } // namespace ct | 19 } // namespace ct |
| 19 | 20 |
| 20 class X509Certificate; | 21 class X509Certificate; |
| 21 | 22 |
| 22 // Class for checking that a given certificate conforms to security-related | 23 // Class for checking that a given certificate conforms to security-related |
| 23 // policies. | 24 // policies. |
| 24 class NET_EXPORT CertPolicyEnforcer { | 25 class NET_EXPORT CertPolicyEnforcer { |
| 25 public: | 26 public: |
| 26 // Set the parameters for this policy enforcer: | 27 // Set the parameters for this policy enforcer: |
| 27 // |require_ct_for_ev| indicates whether Certificate Transparency presence | 28 // |require_ct_for_ev| indicates whether Certificate Transparency presence |
| 28 // is required for EV certificates. | 29 // is required for EV certificates. |
| 29 explicit CertPolicyEnforcer(bool require_ct_for_ev); | 30 explicit CertPolicyEnforcer(bool require_ct_for_ev); |
| 30 virtual ~CertPolicyEnforcer(); | 31 virtual ~CertPolicyEnforcer(); |
| 31 | 32 |
| 32 // Returns true if the collection of SCTs for the given certificate | 33 // Returns true if the collection of SCTs for the given certificate |
| 33 // conforms with the CT/EV policy. | 34 // conforms with the CT/EV policy. If it is non-conforming, the certificate |
| 35 // is logged to |net_log|. | |
|
Ryan Sleevi
2014/12/16 21:35:01
This comment isn't accurate, since you always log
Eran Messeri
2014/12/17 16:19:31
Done - fixed.
| |
| 34 // |cert| is the certificate for which the SCTs apply. | 36 // |cert| is the certificate for which the SCTs apply. |
| 35 // |ct_result| must contain the result of verifying any SCTs associated with | 37 // |ct_result| must contain the result of verifying any SCTs associated with |
| 36 // |cert| prior to invoking this method. | 38 // |cert| prior to invoking this method. |
| 37 bool DoesConformToCTEVPolicy(X509Certificate* cert, | 39 bool DoesConformToCTEVPolicy(X509Certificate* cert, |
| 38 const ct::EVCertsWhitelist* ev_whitelist, | 40 const ct::EVCertsWhitelist* ev_whitelist, |
| 39 const ct::CTVerifyResult& ct_result); | 41 const ct::CTVerifyResult& ct_result, |
| 42 const BoundNetLog& net_log); | |
| 40 | 43 |
| 41 private: | 44 private: |
| 42 bool IsCertificateInWhitelist(X509Certificate* cert, | |
| 43 const ct::EVCertsWhitelist* ev_whitelist); | |
| 44 | |
| 45 bool HasRequiredNumberOfSCTs(X509Certificate* cert, | |
| 46 const ct::CTVerifyResult& ct_result); | |
| 47 | |
| 48 bool require_ct_for_ev_; | 45 bool require_ct_for_ev_; |
| 49 }; | 46 }; |
| 50 | 47 |
| 51 } // namespace net | 48 } // namespace net |
| 52 | 49 |
| 53 #endif // NET_CERT_CERT_POLICY_ENFORCER_H | 50 #endif // NET_CERT_CERT_POLICY_ENFORCER_H |
| OLD | NEW |
