net/cert/cert_verify_proc_whitelist.h

   1 // Copyright (c) 2015 The Chromium Authors. All rights reserved.
   2 // Use of this source code is governed by a BSD-style license that can be
   3 // found in the LICENSE file.
   4
   5 #ifndef NET_CERT_CERT_VERIFY_PROC_WHITELIST_H_
   6 #define NET_CERT_CERT_VERIFY_PROC_WHITELIST_H_
   7
   8 #include <stdint.h>
   9
  10 #include "crypto/sha2.h"
  11 #include "net/base/hash_value.h"
  12 #include "net/base/net_export.h"
  13
  14 namespace net {
  15
  16 class X509Certificate;
  17
  18 // PublicKeyWhitelist contains a SHA-256 SPKI hash and a pointer to an array
  19 // of SHA-256 certificate hashes that have been publicly disclosed and
  20 // whitelisted.
  21 struct PublicKeyWhitelist {
  22   uint8_t public_key[crypto::kSHA256Length];
  23   const uint8_t (*whitelist)[crypto::kSHA256Length];
  24   size_t whitelist_size;
  25 };
  26
  27 // Returns true if |cert| has been issued by a CA that is constrained from
  28 // issuing new certificates and |cert| is not within the whitelist of
  29 // existing certificates. Returns false if |cert| was issued by an
  30 // unconstrained CA or if it was in the whitelist for that
  31 // CA.
  32 // |cert| should be the verified certificate chain, with |public_key_hashes|
  33 // being the set of hashes of the SPKIs within the verified chain.
  34 bool NET_EXPORT_PRIVATE
  35 IsNonWhitelistedCertificate(const X509Certificate& cert,
  36                             const HashValueVector& public_key_hashes);
  37
  38 // Sets the certificate whitelist for testing. Supply nullptr/0 to reset to
  39 // the built-in whitelist.
  40 void NET_EXPORT_PRIVATE
  41 SetCertificateWhitelistForTesting(const PublicKeyWhitelist* whitelist,
  42                                   size_t whitelist_size);
  43
  44 }  // namespace net
  45
  46 #endif  // NET_CERT_CERT_VERIFY_PROC_WHITELIST