net/cert/ct_verifier.h

   1 // Copyright 2013 The Chromium Authors. All rights reserved.
   2 // Use of this source code is governed by a BSD-style license that can be
   3 // found in the LICENSE file.
   4
   5 #ifndef NET_CERT_CT_VERIFIER_H_
   6 #define NET_CERT_CT_VERIFIER_H_
   7
   8 #include <string>
   9
  10 #include "net/base/net_export.h"
  11
  12 namespace net {
  13
  14 namespace ct {
  15 struct CTVerifyResult;
  16 struct SignedCertificateTimestamp;
  17 }  // namespace ct
  18
  19 class BoundNetLog;
  20 class CTLogVerifier;
  21 class X509Certificate;
  22
  23 // Interface for verifying Signed Certificate Timestamps over a certificate.
  24 class NET_EXPORT CTVerifier {
  25  public:
  26   class NET_EXPORT Observer {
  27    public:
  28     // Called for each Signed Certificate Timestamp from a known log that vas
  29     // verified successfully (i.e. the signature verifies). |sct| is the
  30     // Signed Certificate Timestamp, |cert| is the certificate it applies to.
  31     // The certificate is needed to calculate the hash of the log entry,
  32     // necessary for checking inclusion in the log.
  33     virtual void OnSCTVerified(X509Certificate* cert,
  34                                const ct::SignedCertificateTimestamp* sct) = 0;
  35   };
  36
  37   virtual ~CTVerifier() {}
  38
  39   // Verifies SCTs embedded in the certificate itself, SCTs embedded in a
  40   // stapled OCSP response, and SCTs obtained via the
  41   // signed_certificate_timestamp TLS extension on the given |cert|.
  42   // A certificate is permitted but not required to use multiple sources for
  43   // SCTs. It is expected that most certificates will use only one source
  44   // (embedding, TLS extension or OCSP stapling). If no stapled OCSP response
  45   // is available, |stapled_ocsp_response| should be an empty string. If no SCT
  46   // TLS extension was negotiated, |sct_list_from_tls_extension| should be an
  47   // empty string. |result| will be filled with the SCTs present, divided into
  48   // categories based on the verification result.
  49   virtual int Verify(X509Certificate* cert,
  50                      const std::string& stapled_ocsp_response,
  51                      const std::string& sct_list_from_tls_extension,
  52                      ct::CTVerifyResult* result,
  53                      const BoundNetLog& net_log) = 0;
  54
  55   // Registers |observer| to receive notifications of validated SCTs. Does not
  56   // take ownership of the observer as the observer may be performing
  57   // URLRequests which have to be cancelled before this object is destroyed.
  58   // Setting |observer| to nullptr has the effect of stopping all notifications.
  59   virtual void SetObserver(Observer* observer) = 0;
  60 };
  61
  62 }  // namespace net
  63
  64 #endif  // NET_CERT_CT_VERIFIER_H_