blob: 053cbacd7cc1ddfd7c207f8298cdc1bbdfd6dfb0 [file] [log] [blame]
// Copyright 2018 The Chromium Authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
#include <string>
#include <utility>
#include <vector>
#include "base/time/clock.h"
#include "base/time/time.h"
#include "net/cert/ct_policy_enforcer.h"
namespace certificate_transparency {
// A CTPolicyEnforcer that enforces the "Certificate Transparency in Chrome"
// policies detailed at
// This should only be used when there is a reliable, rapid update mechanism
// for the set of known, qualified logs - either through a reliable binary
// updating mechanism or through out-of-band delivery. See
// //net/docs/ for more details.
class ChromeCTPolicyEnforcer : public net::CTPolicyEnforcer {
// |logs| is a list of Certificate Transparency logs. Data about each log is
// needed to apply Chrome's policies. |disqualified_logs| is a map of log ID
// to disqualification date. |operated_by_google_logs| is a list of log IDs
// operated by Google. (Log IDs are the SHA-256 hash of the log's DER-encoded
// SubjectPublicKeyInfo.) |log_list_date| is the time at which the other two
// arguments were generated. Both lists of logs must be sorted by log ID.
base::Time log_list_date,
std::vector<std::pair<std::string, base::TimeDelta>> disqualified_logs,
std::vector<std::string> operated_by_google_logs);
~ChromeCTPolicyEnforcer() override;
net::ct::CTPolicyCompliance CheckCompliance(
net::X509Certificate* cert,
const net::ct::SCTList& verified_scts,
const net::NetLogWithSource& net_log) override;
void SetClockForTesting(const base::Clock* clock) { clock_ = clock; }
// Returns true if the log identified by |log_id| (the SHA-256 hash of the
// log's DER-encoded SPKI) has been disqualified, and sets
// |*disqualification_date| to the date of disqualification. Any SCTs that
// are embedded in certificates issued after |*disqualification_date| should
// not be trusted, nor contribute to any uniqueness or freshness
bool IsLogDisqualified(base::StringPiece log_id,
base::Time* disqualification_date) const;
// Returns true if the log identified by |log_id| (the SHA-256 hash of the
// log's DER-encoded SPKI) is operated by Google.
bool IsLogOperatedByGoogle(base::StringPiece log_id) const;
// Returns true if the supplied log data are fresh enough.
bool IsLogDataTimely() const;
net::ct::CTPolicyCompliance CheckCTPolicyCompliance(
const net::X509Certificate& cert,
const net::ct::SCTList& verified_scts) const;
// Map of SHA-256(SPKI) to log disqualification date.
std::vector<std::pair<std::string, base::TimeDelta>> disqualified_logs_;
// List of SHA-256(SPKI) for logs operated by Google.
std::vector<std::string> operated_by_google_logs_;
const base::Clock* clock_;
// The time at which |disqualified_logs_| and |operated_by_google_logs_| were
// generated.
const base::Time log_list_date_;
} // namespace certificate_transparency