Line data Source code
1 : /* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
2 : /* vim: set ts=8 sts=2 et sw=2 tw=80: */
3 : /* This Source Code Form is subject to the terms of the Mozilla Public
4 : * License, v. 2.0. If a copy of the MPL was not distributed with this
5 : * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
6 :
7 : #ifndef MultiLogCTVerifier_h
8 : #define MultiLogCTVerifier_h
9 :
10 : #include "CTLogVerifier.h"
11 : #include "CTVerifyResult.h"
12 : #include "mozilla/Vector.h"
13 : #include "pkix/Input.h"
14 : #include "pkix/Result.h"
15 : #include "pkix/Time.h"
16 : #include "SignedCertificateTimestamp.h"
17 :
18 : namespace mozilla { namespace ct {
19 :
20 : // A Certificate Transparency verifier that can verify Signed Certificate
21 : // Timestamps from multiple logs.
22 1 : class MultiLogCTVerifier
23 : {
24 : public:
25 : // Adds a new log to the list of known logs to verify against.
26 : pkix::Result AddLog(CTLogVerifier&& log);
27 :
28 : // Verifies SCTs embedded in the certificate itself, SCTs embedded in a
29 : // stapled OCSP response, and SCTs obtained via the
30 : // signed_certificate_timestamp TLS extension on the given |cert|.
31 : //
32 : // A certificate is permitted but not required to use multiple sources for
33 : // SCTs. It is expected that most certificates will use only one source
34 : // (embedding, TLS extension or OCSP stapling).
35 : //
36 : // The verifier stops on fatal errors (such as out of memory or invalid
37 : // DER encoding of |cert|), but it does not stop on SCT decoding errors. See
38 : // CTVerifyResult for more details.
39 : //
40 : // The internal state of the verifier object is not modified
41 : // during the verification process.
42 : //
43 : // |cert| DER-encoded certificate to be validated using the provided SCTs.
44 : // |sctListFromCert| SCT list embedded in |cert|, empty if not present.
45 : // |issuerSubjectPublicKeyInfo| SPKI of |cert|'s issuer. Can be empty,
46 : // in which case the embedded SCT list
47 : // won't be verified.
48 : // |sctListFromOCSPResponse| SCT list included in a stapled OCSP response
49 : // for |cert|. Empty if not available.
50 : // |sctListFromTLSExtension| is the SCT list from the TLS extension. Empty
51 : // if no extension was present.
52 : // |time| the current time. Used to make sure SCTs are not in the future.
53 : // |result| will be filled with the SCTs present, divided into categories
54 : // based on the verification result.
55 : pkix::Result Verify(pkix::Input cert,
56 : pkix::Input issuerSubjectPublicKeyInfo,
57 : pkix::Input sctListFromCert,
58 : pkix::Input sctListFromOCSPResponse,
59 : pkix::Input sctListFromTLSExtension,
60 : pkix::Time time,
61 : CTVerifyResult& result);
62 :
63 : private:
64 : // Verifies a list of SCTs from |encodedSctList| over |expectedEntry|,
65 : // placing the verification results in |result|. The SCTs in the list
66 : // come from |origin| (as will be reflected in the origin field of each SCT).
67 : pkix::Result VerifySCTs(pkix::Input encodedSctList,
68 : const LogEntry& expectedEntry,
69 : VerifiedSCT::Origin origin,
70 : pkix::Time time,
71 : CTVerifyResult& result);
72 :
73 : // Verifies a single, parsed SCT against all known logs.
74 : // Note: moves |sct| to the target list in |result|, invalidating |sct|.
75 : pkix::Result VerifySingleSCT(SignedCertificateTimestamp&& sct,
76 : const ct::LogEntry& expectedEntry,
77 : VerifiedSCT::Origin origin,
78 : pkix::Time time,
79 : CTVerifyResult& result);
80 :
81 : // The list of known logs.
82 : Vector<CTLogVerifier> mLogs;
83 : };
84 :
85 : } } // namespace mozilla::ct
86 :
87 : #endif // MultiLogCTVerifier_h
|
