1// Copyright (c) 2010 The Chromium Authors. All rights reserved.
2// Use of this source code is governed by a BSD-style license that can be
3// found in the LICENSE file.
4
5#ifndef NET_SOCKET_DNS_CERT_PROVENANCE_CHECKER_H
6#define NET_SOCKET_DNS_CERT_PROVENANCE_CHECKER_H
7
8#include <string>
9#include <vector>
10
11#include "base/string_piece.h"
12
13namespace net {
14
15class DnsRRResolver;
16
17// DnsCertProvenanceChecker is an interface for asynchronously checking HTTPS
18// certificates via a DNS side-channel.
19class DnsCertProvenanceChecker {
20 public:
21  class Delegate {
22   public:
23    virtual ~Delegate();
24
25    virtual void OnDnsCertLookupFailed(
26        const std::string& hostname,
27        const std::vector<std::string>& der_certs) = 0;
28  };
29
30  virtual ~DnsCertProvenanceChecker();
31
32  virtual void Shutdown() = 0;
33
34  // DoAsyncVerification starts an asynchronous check for the given certificate
35  // chain. It must be run on the network thread.
36  virtual void DoAsyncVerification(
37      const std::string& hostname,
38      const std::vector<base::StringPiece>& der_certs) = 0;
39
40
41 protected:
42  // DoAsyncLookup performs a DNS lookup for the given name and certificate
43  // chain. In the event that the lookup reports a failure, the Delegate is
44  // called back.
45  static void DoAsyncLookup(
46      const std::string& hostname,
47      const std::vector<base::StringPiece>& der_certs,
48      DnsRRResolver* dnsrr_resolver,
49      Delegate* delegate);
50
51  // BuildEncryptedRecord encrypts the certificate chain to a fixed public key
52  // and returns the encrypted blob. Since this code is reporting a possible
53  // HTTPS failure, it would seem silly to use HTTPS to protect the uploaded
54  // report.
55  static std::string BuildEncryptedReport(
56      const std::string& hostname,
57      const std::vector<std::string>& der_certs);
58};
59
60}  // namespace net
61
62#endif  // NET_SOCKET_DNS_CERT_PROVENANCE_CHECK_H
63