• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1 // Copyright 2012 The Chromium Authors
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
4 
5 #ifndef NET_SSL_SSL_INFO_H_
6 #define NET_SSL_SSL_INFO_H_
7 
8 #include <stdint.h>
9 
10 #include <vector>
11 
12 #include "base/memory/scoped_refptr.h"
13 #include "net/base/hash_value.h"
14 #include "net/base/net_export.h"
15 #include "net/cert/cert_status_flags.h"
16 #include "net/cert/ct_policy_status.h"
17 #include "net/cert/ocsp_verify_result.h"
18 #include "net/cert/sct_status_flags.h"
19 #include "net/cert/signed_certificate_timestamp_and_status.h"
20 
21 namespace net {
22 
23 class X509Certificate;
24 
25 // SSL connection info.
26 // This is really a struct.  All members are public.
27 class NET_EXPORT SSLInfo {
28  public:
29   // HandshakeType enumerates the possible resumption cases after an SSL
30   // handshake.
31   enum HandshakeType {
32     HANDSHAKE_UNKNOWN = 0,
33     HANDSHAKE_RESUME,  // we resumed a previous session.
34     HANDSHAKE_FULL,  // we negotiated a new session.
35   };
36 
37   SSLInfo();
38   SSLInfo(const SSLInfo& info);
39   ~SSLInfo();
40   SSLInfo& operator=(const SSLInfo& info);
41 
42   void Reset();
43 
is_valid()44   bool is_valid() const { return cert.get() != nullptr; }
45 
46   // The SSL certificate.
47   scoped_refptr<X509Certificate> cert;
48 
49   // The SSL certificate as received by the client. Can be different
50   // from |cert|, which is the chain as built by the client during
51   // validation.
52   scoped_refptr<X509Certificate> unverified_cert;
53 
54   // Bitmask of status info of |cert|, representing, for example, known errors
55   // and extended validation (EV) status.
56   // See cert_status_flags.h for values.
57   CertStatus cert_status = 0;
58 
59   // The ID of the (EC)DH group used by the key exchange or zero if unknown
60   // (older cache entries may not store the value) or not applicable.
61   uint16_t key_exchange_group = 0;
62 
63   // The signature algorithm used by the peer in the TLS handshake, as defined
64   // by the TLS SignatureScheme registry
65   // (https://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml#tls-signaturescheme).
66   // These correspond to |SSL_SIGN_*| constants in BoringSSL. The value is zero
67   // if unknown (older cache entries may not store the value) or not applicable.
68   uint16_t peer_signature_algorithm = 0;
69 
70   // Information about the SSL connection itself. See
71   // ssl_connection_status_flags.h for values. The protocol version,
72   // ciphersuite, and compression in use are encoded within.
73   int connection_status = 0;
74 
75   // If the certificate is valid, then this is true iff it was rooted at a
76   // standard CA root. (As opposed to a user-installed root.)
77   bool is_issued_by_known_root = false;
78 
79   // True if pinning was bypassed on this connection.
80   bool pkp_bypassed = false;
81 
82   // True if a client certificate was sent to the server.  Note that sending
83   // a Certificate message with no client certificate in it does not count.
84   bool client_cert_sent = false;
85 
86   // True if data was received over early data on the server. This field is only
87   // set for server sockets.
88   bool early_data_received = false;
89 
90   // True if the connection negotiated the Encrypted ClientHello extension.
91   bool encrypted_client_hello = false;
92 
93   HandshakeType handshake_type = HANDSHAKE_UNKNOWN;
94 
95   // The hashes, in several algorithms, of the SubjectPublicKeyInfos from
96   // each certificate in the chain.
97   HashValueVector public_key_hashes;
98 
99   // pinning_failure_log contains a message produced by
100   // TransportSecurityState::PKPState::CheckPublicKeyPins in the event of a
101   // pinning failure. It is a (somewhat) human-readable string.
102   std::string pinning_failure_log;
103 
104   // List of SignedCertificateTimestamps and their corresponding validation
105   // status.
106   SignedCertificateTimestampAndStatusList signed_certificate_timestamps;
107 
108   // Whether the connection complied with the CT cert policy, and if
109   // not, why not.
110   ct::CTPolicyCompliance ct_policy_compliance =
111       ct::CTPolicyCompliance::CT_POLICY_COMPLIANCE_DETAILS_NOT_AVAILABLE;
112 
113   // OCSP stapling details.
114   OCSPVerifyResult ocsp_result;
115 
116   // True if there was a certificate error which should be treated as fatal,
117   // and false otherwise.
118   bool is_fatal_cert_error = false;
119 };
120 
121 }  // namespace net
122 
123 #endif  // NET_SSL_SSL_INFO_H_
124