• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1 // Copyright 2013 The Chromium Authors
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
4 
5 #ifndef NET_CERT_MULTI_LOG_CT_VERIFIER_H_
6 #define NET_CERT_MULTI_LOG_CT_VERIFIER_H_
7 
8 #include <map>
9 #include <string>
10 
11 #include "base/callback_list.h"
12 #include "base/functional/callback_forward.h"
13 #include "base/memory/scoped_refptr.h"
14 #include "base/memory/weak_ptr.h"
15 #include "base/strings/string_piece.h"
16 #include "net/base/net_export.h"
17 #include "net/cert/ct_verifier.h"
18 #include "net/cert/signed_certificate_timestamp.h"
19 
20 namespace net {
21 
22 namespace ct {
23 struct SignedEntryData;
24 }  // namespace ct
25 
26 class CTLogVerifier;
27 
28 // A Certificate Transparency verifier that can verify Signed Certificate
29 // Timestamps from multiple logs.
30 // It must be initialized with a list of logs by calling AddLogs.
31 class NET_EXPORT MultiLogCTVerifier : public CTVerifier {
32  public:
33   class NET_EXPORT CTLogProvider {
34    public:
35     using LogListCallbackList = base::RepeatingCallbackList<void(
36         const std::vector<scoped_refptr<const CTLogVerifier>>& log_verifiers)>;
37 
38     base::CallbackListSubscription RegisterLogsListCallback(
39         LogListCallbackList::CallbackType callback);
40 
41    protected:
42     CTLogProvider();
43     ~CTLogProvider();
44 
45     void NotifyCallbacks(
46         const std::vector<scoped_refptr<const net::CTLogVerifier>>&
47             log_verifiers);
48 
49    private:
50     LogListCallbackList callback_list_;
51   };
52 
53   explicit MultiLogCTVerifier(CTLogProvider* notifier);
54 
55   MultiLogCTVerifier(const MultiLogCTVerifier&) = delete;
56   MultiLogCTVerifier& operator=(const MultiLogCTVerifier&) = delete;
57 
58   ~MultiLogCTVerifier() override;
59 
60   void SetLogs(
61       const std::vector<scoped_refptr<const CTLogVerifier>>& log_verifiers);
62 
63   // CTVerifier implementation:
64   void Verify(base::StringPiece hostname,
65               X509Certificate* cert,
66               base::StringPiece stapled_ocsp_response,
67               base::StringPiece sct_list_from_tls_extension,
68               SignedCertificateTimestampAndStatusList* output_scts,
69               const NetLogWithSource& net_log) override;
70 
71  private:
72   // Verify a list of SCTs from |encoded_sct_list| over |expected_entry|,
73   // placing the verification results in |output_scts|. The SCTs in the list
74   // come from |origin| (as will be indicated in the origin field of each SCT).
75   void VerifySCTs(base::StringPiece hostname,
76                   base::StringPiece encoded_sct_list,
77                   const ct::SignedEntryData& expected_entry,
78                   ct::SignedCertificateTimestamp::Origin origin,
79                   X509Certificate* cert,
80                   SignedCertificateTimestampAndStatusList* output_scts);
81 
82   // Verifies a single, parsed SCT against all logs.
83   bool VerifySingleSCT(base::StringPiece hostname,
84                        scoped_refptr<ct::SignedCertificateTimestamp> sct,
85                        const ct::SignedEntryData& expected_entry,
86                        X509Certificate* cert,
87                        SignedCertificateTimestampAndStatusList* output_scts);
88 
89   // Mapping from a log's ID to the verifier for this log.
90   // A log's ID is the SHA-256 of the log's key, as defined in section 3.2.
91   // of RFC6962.
92   std::map<std::string, scoped_refptr<const CTLogVerifier>> logs_;
93 
94   base::CallbackListSubscription log_provider_subscription_;
95 };
96 
97 }  // namespace net
98 
99 #endif  // NET_CERT_MULTI_LOG_CT_VERIFIER_H_
100