• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1 // Copyright 2013 The Chromium Authors
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
4 
5 #ifndef NET_CERT_MULTI_LOG_CT_VERIFIER_H_
6 #define NET_CERT_MULTI_LOG_CT_VERIFIER_H_
7 
8 #include <map>
9 #include <string>
10 #include <string_view>
11 
12 #include "base/memory/scoped_refptr.h"
13 #include "net/base/net_export.h"
14 #include "net/cert/ct_verifier.h"
15 #include "net/cert/signed_certificate_timestamp.h"
16 
17 namespace net {
18 
19 namespace ct {
20 struct SignedEntryData;
21 }  // namespace ct
22 
23 class CTLogVerifier;
24 
25 // A Certificate Transparency verifier that can verify Signed Certificate
26 // Timestamps from multiple logs.
27 // It must be initialized with a list of logs by calling AddLogs.
28 class NET_EXPORT MultiLogCTVerifier : public CTVerifier {
29  public:
30   explicit MultiLogCTVerifier(
31       const std::vector<scoped_refptr<const CTLogVerifier>>& log_verifiers);
32 
33   MultiLogCTVerifier(const MultiLogCTVerifier&) = delete;
34   MultiLogCTVerifier& operator=(const MultiLogCTVerifier&) = delete;
35 
36   ~MultiLogCTVerifier() override;
37 
38   // CTVerifier implementation:
39   void Verify(X509Certificate* cert,
40               std::string_view stapled_ocsp_response,
41               std::string_view sct_list_from_tls_extension,
42               base::Time current_time,
43               SignedCertificateTimestampAndStatusList* output_scts,
44               const NetLogWithSource& net_log) const override;
45 
46  private:
47   // Verify a list of SCTs from |encoded_sct_list| over |expected_entry|,
48   // placing the verification results in |output_scts|. The SCTs in the list
49   // come from |origin| (as will be indicated in the origin field of each SCT).
50   void VerifySCTs(std::string_view encoded_sct_list,
51                   const ct::SignedEntryData& expected_entry,
52                   ct::SignedCertificateTimestamp::Origin origin,
53                   base::Time current_time,
54                   X509Certificate* cert,
55                   SignedCertificateTimestampAndStatusList* output_scts) const;
56 
57   // Verifies a single, parsed SCT against all logs.
58   bool VerifySingleSCT(
59       scoped_refptr<ct::SignedCertificateTimestamp> sct,
60       const ct::SignedEntryData& expected_entry,
61       base::Time current_time,
62       X509Certificate* cert,
63       SignedCertificateTimestampAndStatusList* output_scts) const;
64 
65   // Mapping from a log's ID to the verifier for this log.
66   // A log's ID is the SHA-256 of the log's key, as defined in section 3.2.
67   // of RFC6962.
68   const std::map<std::string, scoped_refptr<const CTLogVerifier>> logs_;
69 };
70 
71 }  // namespace net
72 
73 #endif  // NET_CERT_MULTI_LOG_CT_VERIFIER_H_
74