1 // Copyright 2014 The Chromium Authors 2 // Use of this source code is governed by a BSD-style license that can be 3 // found in the LICENSE file. 4 5 #ifndef NET_CERT_CT_POLICY_ENFORCER_H_ 6 #define NET_CERT_CT_POLICY_ENFORCER_H_ 7 8 #include <optional> 9 #include <string_view> 10 11 #include <stddef.h> 12 13 #include "base/memory/ref_counted.h" 14 #include "net/base/net_export.h" 15 #include "net/cert/signed_certificate_timestamp.h" 16 17 namespace net { 18 19 class NetLogWithSource; 20 21 namespace ct { 22 enum class CTPolicyCompliance; 23 } // namespace ct 24 25 class X509Certificate; 26 27 // Interface for checking whether or not a given certificate conforms to any 28 // policies an application may have regarding Certificate Transparency. 29 // 30 // See //net/docs/certificate-transparency.md for more details regarding the 31 // usage of CT in //net and risks that may exist when defining a CT policy. 32 class NET_EXPORT CTPolicyEnforcer 33 : public base::RefCountedThreadSafe<CTPolicyEnforcer> { 34 public: 35 // Returns the CT certificate policy compliance status for a given 36 // certificate and collection of SCTs. 37 // |cert| is the certificate for which to check compliance, and 38 // ||verified_scts| contains any/all SCTs associated with |cert| that 39 // |have been verified (well-formed, issued by known logs, and 40 // |applying to |cert|). 41 virtual ct::CTPolicyCompliance CheckCompliance( 42 X509Certificate* cert, 43 const ct::SCTList& verified_scts, 44 base::Time current_time, 45 const NetLogWithSource& net_log) const = 0; 46 47 // Returns the timestamp that the log identified by |log_id| (the SHA-256 48 // hash of the log's DER-encoded SPKI) has been disqualified, or nullopt if 49 // the log has not been disqualified. 50 // Any SCTs that are embedded in certificates issued after the 51 // disqualification time should not be trusted, nor contribute to any 52 // uniqueness or freshness 53 virtual std::optional<base::Time> GetLogDisqualificationTime( 54 std::string_view log_id) const = 0; 55 56 // Returns true if Certificate Transparency enforcement is enabled. 57 virtual bool IsCtEnabled() const = 0; 58 59 protected: 60 virtual ~CTPolicyEnforcer() = default; 61 62 private: 63 friend class base::RefCountedThreadSafe<CTPolicyEnforcer>; 64 }; 65 66 // A default implementation of Certificate Transparency policies that is 67 // intended for use in applications without auto-update capabilities. 68 // 69 // See //net/docs/certificate-transparency.md for more details. 70 class NET_EXPORT DefaultCTPolicyEnforcer : public net::CTPolicyEnforcer { 71 public: 72 DefaultCTPolicyEnforcer() = default; 73 74 ct::CTPolicyCompliance CheckCompliance( 75 X509Certificate* cert, 76 const ct::SCTList& verified_scts, 77 base::Time current_time, 78 const NetLogWithSource& net_log) const override; 79 80 std::optional<base::Time> GetLogDisqualificationTime( 81 std::string_view log_id) const override; 82 83 bool IsCtEnabled() const override; 84 85 protected: 86 ~DefaultCTPolicyEnforcer() override = default; 87 }; 88 89 } // namespace net 90 91 #endif // NET_CERT_CT_POLICY_ENFORCER_H_ 92