• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1 // Copyright 2013 The Chromium Authors
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
4 
5 #ifndef NET_CERT_MULTI_LOG_CT_VERIFIER_H_
6 #define NET_CERT_MULTI_LOG_CT_VERIFIER_H_
7 
8 #include <map>
9 #include <string>
10 
11 #include "base/callback_list.h"
12 #include "base/functional/callback_forward.h"
13 #include "base/memory/scoped_refptr.h"
14 #include "base/memory/weak_ptr.h"
15 #include "base/strings/string_piece.h"
16 #include "net/base/net_export.h"
17 #include "net/cert/ct_verifier.h"
18 #include "net/cert/signed_certificate_timestamp.h"
19 
20 namespace net {
21 
22 namespace ct {
23 struct SignedEntryData;
24 }  // namespace ct
25 
26 class CTLogVerifier;
27 
28 // A Certificate Transparency verifier that can verify Signed Certificate
29 // Timestamps from multiple logs.
30 // It must be initialized with a list of logs by calling AddLogs.
31 class NET_EXPORT MultiLogCTVerifier : public CTVerifier {
32  public:
33   class NET_EXPORT CTLogProvider {
34    public:
35     using LogListCallbackList = base::RepeatingCallbackList<void(
36         const std::vector<scoped_refptr<const CTLogVerifier>>& log_verifiers)>;
37 
38     base::CallbackListSubscription RegisterLogsListCallback(
39         LogListCallbackList::CallbackType callback);
40 
41    protected:
42     CTLogProvider();
43     ~CTLogProvider();
44 
45     void NotifyCallbacks(
46         const std::vector<scoped_refptr<const net::CTLogVerifier>>&
47             log_verifiers);
48 
49    private:
50     LogListCallbackList callback_list_;
51   };
52 
53   explicit MultiLogCTVerifier(CTLogProvider* notifier);
54 
55   MultiLogCTVerifier(const MultiLogCTVerifier&) = delete;
56   MultiLogCTVerifier& operator=(const MultiLogCTVerifier&) = delete;
57 
58   ~MultiLogCTVerifier() override;
59 
60   void SetLogs(
61       const std::vector<scoped_refptr<const CTLogVerifier>>& log_verifiers);
62 
63   // CTVerifier implementation:
64   void Verify(X509Certificate* cert,
65               base::StringPiece stapled_ocsp_response,
66               base::StringPiece sct_list_from_tls_extension,
67               SignedCertificateTimestampAndStatusList* output_scts,
68               const NetLogWithSource& net_log) override;
69 
70  private:
71   // Verify a list of SCTs from |encoded_sct_list| over |expected_entry|,
72   // placing the verification results in |output_scts|. The SCTs in the list
73   // come from |origin| (as will be indicated in the origin field of each SCT).
74   void VerifySCTs(base::StringPiece encoded_sct_list,
75                   const ct::SignedEntryData& expected_entry,
76                   ct::SignedCertificateTimestamp::Origin origin,
77                   X509Certificate* cert,
78                   SignedCertificateTimestampAndStatusList* output_scts);
79 
80   // Verifies a single, parsed SCT against all logs.
81   bool VerifySingleSCT(scoped_refptr<ct::SignedCertificateTimestamp> sct,
82                        const ct::SignedEntryData& expected_entry,
83                        X509Certificate* cert,
84                        SignedCertificateTimestampAndStatusList* output_scts);
85 
86   // Mapping from a log's ID to the verifier for this log.
87   // A log's ID is the SHA-256 of the log's key, as defined in section 3.2.
88   // of RFC6962.
89   std::map<std::string, scoped_refptr<const CTLogVerifier>> logs_;
90 
91   base::CallbackListSubscription log_provider_subscription_;
92 };
93 
94 }  // namespace net
95 
96 #endif  // NET_CERT_MULTI_LOG_CT_VERIFIER_H_
97