Roll src/third_party/WebKit eac3800:0237a66 (svn 202606:202607)
[chromium-blink-merge.git] / net / cert / ct_verifier.h
blob40631048ac32d21b41b5f220ee78e8c86f7aef4d
1 // Copyright 2013 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
5 #ifndef NET_CERT_CT_VERIFIER_H_
6 #define NET_CERT_CT_VERIFIER_H_
8 #include <string>
10 #include "net/base/net_export.h"
12 namespace net {
14 namespace ct {
15 struct CTVerifyResult;
16 struct SignedCertificateTimestamp;
17 } // namespace ct
19 class BoundNetLog;
20 class CTLogVerifier;
21 class X509Certificate;
23 // Interface for verifying Signed Certificate Timestamps over a certificate.
24 class NET_EXPORT CTVerifier {
25 public:
26 class NET_EXPORT Observer {
27 public:
28 // Called for each Signed Certificate Timestamp from a known log that vas
29 // verified successfully (i.e. the signature verifies). |sct| is the
30 // Signed Certificate Timestamp, |cert| is the certificate it applies to.
31 // The certificate is needed to calculate the hash of the log entry,
32 // necessary for checking inclusion in the log.
33 virtual void OnSCTVerified(X509Certificate* cert,
34 const ct::SignedCertificateTimestamp* sct) = 0;
37 virtual ~CTVerifier() {}
39 // Verifies SCTs embedded in the certificate itself, SCTs embedded in a
40 // stapled OCSP response, and SCTs obtained via the
41 // signed_certificate_timestamp TLS extension on the given |cert|.
42 // A certificate is permitted but not required to use multiple sources for
43 // SCTs. It is expected that most certificates will use only one source
44 // (embedding, TLS extension or OCSP stapling). If no stapled OCSP response
45 // is available, |stapled_ocsp_response| should be an empty string. If no SCT
46 // TLS extension was negotiated, |sct_list_from_tls_extension| should be an
47 // empty string. |result| will be filled with the SCTs present, divided into
48 // categories based on the verification result.
49 virtual int Verify(X509Certificate* cert,
50 const std::string& stapled_ocsp_response,
51 const std::string& sct_list_from_tls_extension,
52 ct::CTVerifyResult* result,
53 const BoundNetLog& net_log) = 0;
55 // Registers |observer| to receive notifications of validated SCTs. Does not
56 // take ownership of the observer as the observer may be performing
57 // URLRequests which have to be cancelled before this object is destroyed.
58 // Setting |observer| to nullptr has the effect of stopping all notifications.
59 virtual void SetObserver(Observer* observer) = 0;
62 } // namespace net
64 #endif // NET_CERT_CT_VERIFIER_H_