|
Packit |
f0b94e |
/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
|
|
Packit |
f0b94e |
/* vim: set ts=8 sts=2 et sw=2 tw=80: */
|
|
Packit |
f0b94e |
/* This Source Code Form is subject to the terms of the Mozilla Public
|
|
Packit |
f0b94e |
* License, v. 2.0. If a copy of the MPL was not distributed with this
|
|
Packit |
f0b94e |
* file, You can obtain one at http://mozilla.org/MPL/2.0/. */
|
|
Packit |
f0b94e |
|
|
Packit |
f0b94e |
#ifndef MultiLogCTVerifier_h
|
|
Packit |
f0b94e |
#define MultiLogCTVerifier_h
|
|
Packit |
f0b94e |
|
|
Packit |
f0b94e |
#include "CTLogVerifier.h"
|
|
Packit |
f0b94e |
#include "CTVerifyResult.h"
|
|
Packit |
f0b94e |
#include "mozilla/Vector.h"
|
|
Packit |
f0b94e |
#include "pkix/Input.h"
|
|
Packit |
f0b94e |
#include "pkix/Result.h"
|
|
Packit |
f0b94e |
#include "pkix/Time.h"
|
|
Packit |
f0b94e |
#include "SignedCertificateTimestamp.h"
|
|
Packit |
f0b94e |
|
|
Packit |
f0b94e |
namespace mozilla {
|
|
Packit |
f0b94e |
namespace ct {
|
|
Packit |
f0b94e |
|
|
Packit |
f0b94e |
// A Certificate Transparency verifier that can verify Signed Certificate
|
|
Packit |
f0b94e |
// Timestamps from multiple logs.
|
|
Packit |
f0b94e |
class MultiLogCTVerifier {
|
|
Packit |
f0b94e |
public:
|
|
Packit |
f0b94e |
// Adds a new log to the list of known logs to verify against.
|
|
Packit |
f0b94e |
pkix::Result AddLog(CTLogVerifier&& log);
|
|
Packit |
f0b94e |
|
|
Packit |
f0b94e |
// Verifies SCTs embedded in the certificate itself, SCTs embedded in a
|
|
Packit |
f0b94e |
// stapled OCSP response, and SCTs obtained via the
|
|
Packit |
f0b94e |
// signed_certificate_timestamp TLS extension on the given |cert|.
|
|
Packit |
f0b94e |
//
|
|
Packit |
f0b94e |
// A certificate is permitted but not required to use multiple sources for
|
|
Packit |
f0b94e |
// SCTs. It is expected that most certificates will use only one source
|
|
Packit |
f0b94e |
// (embedding, TLS extension or OCSP stapling).
|
|
Packit |
f0b94e |
//
|
|
Packit |
f0b94e |
// The verifier stops on fatal errors (such as out of memory or invalid
|
|
Packit |
f0b94e |
// DER encoding of |cert|), but it does not stop on SCT decoding errors. See
|
|
Packit |
f0b94e |
// CTVerifyResult for more details.
|
|
Packit |
f0b94e |
//
|
|
Packit |
f0b94e |
// The internal state of the verifier object is not modified
|
|
Packit |
f0b94e |
// during the verification process.
|
|
Packit |
f0b94e |
//
|
|
Packit |
f0b94e |
// |cert| DER-encoded certificate to be validated using the provided SCTs.
|
|
Packit |
f0b94e |
// |sctListFromCert| SCT list embedded in |cert|, empty if not present.
|
|
Packit |
f0b94e |
// |issuerSubjectPublicKeyInfo| SPKI of |cert|'s issuer. Can be empty,
|
|
Packit |
f0b94e |
// in which case the embedded SCT list
|
|
Packit |
f0b94e |
// won't be verified.
|
|
Packit |
f0b94e |
// |sctListFromOCSPResponse| SCT list included in a stapled OCSP response
|
|
Packit |
f0b94e |
// for |cert|. Empty if not available.
|
|
Packit |
f0b94e |
// |sctListFromTLSExtension| is the SCT list from the TLS extension. Empty
|
|
Packit |
f0b94e |
// if no extension was present.
|
|
Packit |
f0b94e |
// |time| the current time. Used to make sure SCTs are not in the future.
|
|
Packit |
f0b94e |
// |result| will be filled with the SCTs present, divided into categories
|
|
Packit |
f0b94e |
// based on the verification result.
|
|
Packit |
f0b94e |
pkix::Result Verify(pkix::Input cert, pkix::Input issuerSubjectPublicKeyInfo,
|
|
Packit |
f0b94e |
pkix::Input sctListFromCert,
|
|
Packit |
f0b94e |
pkix::Input sctListFromOCSPResponse,
|
|
Packit |
f0b94e |
pkix::Input sctListFromTLSExtension, pkix::Time time,
|
|
Packit |
f0b94e |
CTVerifyResult& result);
|
|
Packit |
f0b94e |
|
|
Packit |
f0b94e |
private:
|
|
Packit |
f0b94e |
// Verifies a list of SCTs from |encodedSctList| over |expectedEntry|,
|
|
Packit |
f0b94e |
// placing the verification results in |result|. The SCTs in the list
|
|
Packit |
f0b94e |
// come from |origin| (as will be reflected in the origin field of each SCT).
|
|
Packit |
f0b94e |
pkix::Result VerifySCTs(pkix::Input encodedSctList,
|
|
Packit |
f0b94e |
const LogEntry& expectedEntry,
|
|
Packit |
f0b94e |
VerifiedSCT::Origin origin, pkix::Time time,
|
|
Packit |
f0b94e |
CTVerifyResult& result);
|
|
Packit |
f0b94e |
|
|
Packit |
f0b94e |
// Verifies a single, parsed SCT against all known logs.
|
|
Packit |
f0b94e |
// Note: moves |sct| to the target list in |result|, invalidating |sct|.
|
|
Packit |
f0b94e |
pkix::Result VerifySingleSCT(SignedCertificateTimestamp&& sct,
|
|
Packit |
f0b94e |
const ct::LogEntry& expectedEntry,
|
|
Packit |
f0b94e |
VerifiedSCT::Origin origin, pkix::Time time,
|
|
Packit |
f0b94e |
CTVerifyResult& result);
|
|
Packit |
f0b94e |
|
|
Packit |
f0b94e |
// The list of known logs.
|
|
Packit |
f0b94e |
Vector<CTLogVerifier> mLogs;
|
|
Packit |
f0b94e |
};
|
|
Packit |
f0b94e |
|
|
Packit |
f0b94e |
} // namespace ct
|
|
Packit |
f0b94e |
} // namespace mozilla
|
|
Packit |
f0b94e |
|
|
Packit |
f0b94e |
#endif // MultiLogCTVerifier_h
|