net/cert/ct_verifier.h

   1 // Copyright 2013 The Chromium Authors. All rights reserved.
   2 // Use of this source code is governed by a BSD-style license that can be
   3 // found in the LICENSE file.
   4
   5 #ifndef NET_CERT_CT_VERIFIER_H_
   6 #define NET_CERT_CT_VERIFIER_H_
   7
   8 #include "net/base/net_export.h"
   9
  10 namespace net {
  11
  12 namespace ct {
  13 struct CTVerifyResult;
  14 }  // namespace ct
  15
  16 class BoundNetLog;
  17 class X509Certificate;
  18
  19 // Interface for verifying Signed Certificate Timestamps over a certificate.
  20 class NET_EXPORT CTVerifier {
  21  public:
  22   virtual ~CTVerifier() {}
  23
  24   // Verifies SCTs embedded in the certificate itself, SCTs embedded in a
  25   // stapled OCSP response, and SCTs obtained via the
  26   // signed_certificate_timestamp TLS extension on the given |cert|.
  27   // A certificate is permitted but not required to use multiple sources for
  28   // SCTs. It is expected that most certificates will use only one source
  29   // (embedding, TLS extension or OCSP stapling). If no stapled OCSP response
  30   // is available, |stapled_ocsp_response| should be an empty string. If no SCT
  31   // TLS extension was negotiated, |sct_list_from_tls_extension| should be an
  32   // empty string. |result| will be filled with the SCTs present, divided into
  33   // categories based on the verification result.
  34   virtual int Verify(X509Certificate* cert,
  35                      const std::string& stapled_ocsp_response,
  36                      const std::string& sct_list_from_tls_extension,
  37                      ct::CTVerifyResult* result,
  38                      const BoundNetLog& net_log) = 0;
  39 };
  40
  41 }  // namespace net
  42
  43 #endif  // NET_CERT_CT_VERIFIER_H_