multi_log_ct_verifier.h revision 5d1f7b1de12d16ceb2c938c56701a3e8bfa558f7
1// Copyright 2013 The Chromium Authors. All rights reserved. 2// Use of this source code is governed by a BSD-style license that can be 3// found in the LICENSE file. 4 5#ifndef NET_CERT_MULTI_LOG_CT_VERIFIER_H_ 6#define NET_CERT_MULTI_LOG_CT_VERIFIER_H_ 7 8#include <map> 9#include <string> 10 11#include "base/memory/linked_ptr.h" 12#include "base/memory/scoped_ptr.h" 13#include "net/base/net_export.h" 14#include "net/cert/ct_verifier.h" 15#include "net/cert/signed_certificate_timestamp.h" 16 17namespace net { 18 19namespace ct { 20struct LogEntry; 21} // namespace ct 22 23class CTLogVerifier; 24 25// A Certificate Transparency verifier that can verify Signed Certificate 26// Timestamps from multiple logs. 27// There should be a global instance of this class and for all known logs, 28// AddLog should be called with a CTLogVerifier (which is created from the 29// log's public key). 30class NET_EXPORT MultiLogCTVerifier : public CTVerifier { 31 public: 32 MultiLogCTVerifier(); 33 virtual ~MultiLogCTVerifier(); 34 35 void AddLog(scoped_ptr<CTLogVerifier> log_verifier); 36 37 // CTVerifier implementation: 38 virtual int Verify(X509Certificate* cert, 39 const std::string& stapled_ocsp_response, 40 const std::string& sct_list_from_tls_extension, 41 ct::CTVerifyResult* result, 42 const BoundNetLog& net_log) OVERRIDE; 43 44 private: 45 // Mapping from a log's ID to the verifier for this log. 46 // A log's ID is the SHA-256 of the log's key, as defined in section 3.2. 47 // of RFC6962. 48 typedef std::map<std::string, linked_ptr<CTLogVerifier> > IDToLogMap; 49 50 // Verify a list of SCTs from |encoded_sct_list| over |expected_entry|, 51 // placing the verification results in |result|. The SCTs in the list 52 // come from |origin| (as will be indicated in the origin field of each SCT). 53 bool VerifySCTs(const std::string& encoded_sct_list, 54 const ct::LogEntry& expected_entry, 55 ct::SignedCertificateTimestamp::Origin origin, 56 ct::CTVerifyResult* result); 57 58 // Verifies a single, parsed SCT against all logs. 59 bool VerifySingleSCT( 60 scoped_refptr<ct::SignedCertificateTimestamp> sct, 61 const ct::LogEntry& expected_entry, 62 ct::CTVerifyResult* result); 63 64 IDToLogMap logs_; 65 66 DISALLOW_COPY_AND_ASSIGN(MultiLogCTVerifier); 67}; 68 69} // namespace net 70 71#endif // NET_CERT_MULTI_LOG_CT_VERIFIER_H_ 72