diff options
| author | eranm@google.com <eranm@google.com@0039d316-1c4b-4281-b951-d872f2087c98> | 2013-11-24 22:33:00 +0000 |
|---|---|---|
| committer | eranm@google.com <eranm@google.com@0039d316-1c4b-4281-b951-d872f2087c98> | 2013-11-24 22:33:00 +0000 |
| commit | 1f11d6fce0146543320116e0daa4d27d847c1c49 (patch) | |
| tree | 140df1e8077a8e707befbc9b65a67503908d52de /net/cert/multi_log_ct_verifier.h | |
| parent | ff4d672e9e3aa4ebe831eb52f05b10f5ab145699 (diff) | |
| download | chromium_src-1f11d6fce0146543320116e0daa4d27d847c1c49.zip chromium_src-1f11d6fce0146543320116e0daa4d27d847c1c49.tar.gz chromium_src-1f11d6fce0146543320116e0daa4d27d847c1c49.tar.bz2 | |
Add the high-level interface for verifying SCTs over multiple logs
This interface (and the default implementation) verify SCT lists obtained
during the TLS handshake or from OCSP stapling, as well as embedded ones.
The result will be used to modify the ssl_info with indicatior of CT status.
The next, and final, patch will wire the CTVerifier to the SSL client socket.
BUG=309578
Review URL: https://codereview.chromium.org/67513008
git-svn-id: svn://svn.chromium.org/chrome/trunk/src@237008 0039d316-1c4b-4281-b951-d872f2087c98
Diffstat (limited to 'net/cert/multi_log_ct_verifier.h')
| -rw-r--r-- | net/cert/multi_log_ct_verifier.h | 70 |
1 files changed, 70 insertions, 0 deletions
diff --git a/net/cert/multi_log_ct_verifier.h b/net/cert/multi_log_ct_verifier.h new file mode 100644 index 0000000..7ceace0 --- /dev/null +++ b/net/cert/multi_log_ct_verifier.h @@ -0,0 +1,70 @@ +// Copyright 2013 The Chromium Authors. All rights reserved. +// Use of this source code is governed by a BSD-style license that can be +// found in the LICENSE file. + +#ifndef NET_CERT_MULTI_LOG_CT_VERIFIER_H_ +#define NET_CERT_MULTI_LOG_CT_VERIFIER_H_ + +#include <map> +#include <string> + +#include "base/memory/linked_ptr.h" +#include "base/memory/scoped_ptr.h" +#include "net/base/net_export.h" +#include "net/cert/ct_verifier.h" +#include "net/cert/signed_certificate_timestamp.h" + +namespace net { + +namespace ct { +struct LogEntry; +} // namespace ct + +class CTLogVerifier; + +// A Certificate Transparency verifier that can verify Signed Certificate +// Timestamps from multiple logs. +// There should be a global instance of this class and for all known logs, +// AddLog should be called with a CTLogVerifier (which is created from the +// log's public key). +class NET_EXPORT MultiLogCTVerifier : public CTVerifier { + public: + MultiLogCTVerifier(); + virtual ~MultiLogCTVerifier(); + + void AddLog(scoped_ptr<CTLogVerifier> log_verifier); + + // CTVerifier implementation: + virtual int Verify(X509Certificate* cert, + const std::string& sct_list_from_ocsp, + const std::string& sct_list_from_tls_extension, + ct::CTVerifyResult* result) OVERRIDE; + + private: + // Mapping from a log's ID to the verifier for this log. + // A log's ID is the SHA-256 of the log's key, as defined in section 3.2. + // of RFC6962. + typedef std::map<std::string, linked_ptr<CTLogVerifier> > IDToLogMap; + + // Verify a list of SCTs from |encoded_sct_list| over |expected_entry|, + // placing the verification results in |result|. The SCTs in the list + // come from |origin| (as will be indicated in the origin field of each SCT). + bool VerifySCTs(const std::string& encoded_sct_list, + const ct::LogEntry& expected_entry, + ct::SignedCertificateTimestamp::Origin origin, + ct::CTVerifyResult* result); + + // Verifies a single, parsed SCT against all logs. + bool VerifySingleSCT( + scoped_refptr<ct::SignedCertificateTimestamp> sct, + const ct::LogEntry& expected_entry, + ct::CTVerifyResult* result); + + IDToLogMap logs_; + + DISALLOW_COPY_AND_ASSIGN(MultiLogCTVerifier); +}; + +} // namespace net + +#endif // NET_CERT_MULTI_LOG_CT_VERIFIER_H_ |