// Copyright (c) 2015 The Chromium Authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.

#ifndef NET_CERT_CERT_VERIFY_PROC_WHITELIST_H_
#define NET_CERT_CERT_VERIFY_PROC_WHITELIST_H_

#include <stdint.h>

#include "crypto/sha2.h"
#include "net/base/hash_value.h"
#include "net/base/net_export.h"

namespace net {

class X509Certificate;

// PublicKeyWhitelist contains a SHA-256 SPKI hash and a pointer to an array
// of SHA-256 certificate hashes that have been publicly disclosed and
// whitelisted.
struct PublicKeyWhitelist {
  uint8_t public_key[crypto::kSHA256Length];
  const uint8_t (*whitelist)[crypto::kSHA256Length];
  size_t whitelist_size;
};

// Returns true if |cert| has been issued by a CA that is constrained from
// issuing new certificates and |cert| is not within the whitelist of
// existing certificates. Returns false if |cert| was issued by an
// unconstrained CA or if it was in the whitelist for that
// CA.
// |cert| should be the verified certificate chain, with |public_key_hashes|
// being the set of hashes of the SPKIs within the verified chain.
bool NET_EXPORT_PRIVATE
IsNonWhitelistedCertificate(const X509Certificate& cert,
                            const HashValueVector& public_key_hashes);

// Sets the certificate whitelist for testing. Supply nullptr/0 to reset to
// the built-in whitelist.
void NET_EXPORT_PRIVATE
SetCertificateWhitelistForTesting(const PublicKeyWhitelist* whitelist,
                                  size_t whitelist_size);

}  // namespace net

#endif  // NET_CERT_CERT_VERIFY_PROC_WHITELIST