1 // Copyright 2011 The Chromium Authors 2 // Use of this source code is governed by a BSD-style license that can be 3 // found in the LICENSE file. 4 5 #ifndef NET_CERT_CERT_VERIFY_RESULT_H_ 6 #define NET_CERT_CERT_VERIFY_RESULT_H_ 7 8 #include "base/memory/scoped_refptr.h" 9 #include "base/supports_user_data.h" 10 #include "base/values.h" 11 #include "net/base/hash_value.h" 12 #include "net/base/net_export.h" 13 #include "net/cert/cert_status_flags.h" 14 #include "net/cert/ct_policy_status.h" 15 #include "net/cert/ocsp_verify_result.h" 16 #include "net/cert/signed_certificate_timestamp_and_status.h" 17 18 namespace ct { 19 enum class CTPolicyCompliance; 20 } // namespace ct 21 22 namespace net { 23 24 class X509Certificate; 25 26 // The result of certificate verification. 27 // 28 // Additional debugging or purely informational data may be added through 29 // SupportsUserData, but such data must not be used for anything that changes 30 // how the results are interpreted or acted upon: any data that changes the 31 // meaning of the result must be added as a member in this class, not through 32 // SupportsUserData. 33 // Any Data added through SupportsUserData must implement Clone(). 34 class NET_EXPORT CertVerifyResult : public base::SupportsUserData { 35 public: 36 CertVerifyResult(); 37 CertVerifyResult(const CertVerifyResult& other); 38 ~CertVerifyResult() override; 39 40 CertVerifyResult& operator=(const CertVerifyResult& other); 41 42 void Reset(); 43 44 // Creates NetLog parameter to describe the CertVerifyResult. |net_error| is 45 // a net error code to include in the params, if non-zero. It must not be 46 // ERR_IO_PENDING, as that is not a true error. 47 base::Value::Dict NetLogParams(int net_error) const; 48 49 // The certificate chain that was constructed during verification. 50 // 51 // Note: Although |verified_cert| will match the originally supplied 52 // certificate to be validated, the results of intermediate_buffers() 53 // may be substantially different, both in order and in content, then the 54 // originally supplied intermediates. 55 // 56 // In the event of validation failures, this may contain the originally 57 // supplied certificate chain or a partially constructed path, depending on 58 // the implementation. 59 // 60 // In the event of validation success, the trust anchor will be 61 // |verified_cert->intermediate_buffers().back()| if 62 // there was a certificate chain to the trust anchor, and will 63 // be |verified_cert->cert_buffer()| if the certificate was 64 // the trust anchor. 65 scoped_refptr<X509Certificate> verified_cert; 66 67 // Bitmask of CERT_STATUS_* from net/cert/cert_status_flags.h. Note that 68 // these status flags apply to the certificate chain returned in 69 // |verified_cert|, rather than the originally supplied certificate 70 // chain. 71 CertStatus cert_status; 72 73 // Hash algorithms used by the certificate chain, excluding the trust 74 // anchor. 75 bool has_sha1; 76 77 // If the certificate was successfully verified then this contains the 78 // hashes for all of the SubjectPublicKeyInfos of the chain (target, 79 // intermediates, and trust anchor) 80 // 81 // The ordering of the hashes in this vector is unspecified. Both the SHA1 82 // and SHA256 hash will be present for each certificate. 83 HashValueVector public_key_hashes; 84 85 // is_issued_by_known_root is true if we recognise the root CA as a standard 86 // root. If it isn't then it's probably the case that this certificate was 87 // generated by a MITM proxy whose root has been installed locally. This is 88 // meaningless if the certificate was not trusted. 89 bool is_issued_by_known_root; 90 91 // is_issued_by_additional_trust_anchor is true if the root CA used for this 92 // verification came from the list of additional trust anchors. 93 bool is_issued_by_additional_trust_anchor; 94 95 // Verification of stapled OCSP response, if present. 96 OCSPVerifyResult ocsp_result; 97 98 // `scts` contains the result of verifying any provided or embedded SCTs for 99 // this certificate against the set of known logs. Consumers should not simply 100 // check this for the presence of a successfully verified SCT to determine CT 101 // compliance. Instead look at `policy_compliance`. 102 SignedCertificateTimestampAndStatusList scts; 103 104 // The result of evaluating whether the certificate complies with the 105 // Certificate Transparency policy. 106 ct::CTPolicyCompliance policy_compliance; 107 }; 108 109 } // namespace net 110 111 #endif // NET_CERT_CERT_VERIFY_RESULT_H_ 112