horok/firefox
1
0
Fork 0
Code Activity
firefox/security/ct/CTPolicyEnforcer.h
Daniel Baumann 5e9a113729
Adding upstream version 140.0. 
Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
2025-06-25 09:37:52 +02:00

60 lines
2.5 KiB
C++
Raw Permalink Blame History

/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
/* vim: set ts=8 sts=2 et sw=2 tw=80: */
/* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/. */
#ifndef CTPolicyEnforcer_h
#define CTPolicyEnforcer_h
#include "CTLog.h"
#include "CTVerifyResult.h"
#include "mozpkix/Result.h"
#include "mozpkix/Time.h"
namespace mozilla {
namespace ct {
// A helper enum to describe the result of running CheckCTPolicyCompliance on a
// collection of verified SCTs.
enum class CTPolicyCompliance {
// The connection complied with the certificate policy
// by including SCTs that satisfy the policy.
Compliant,
// The connection did not have enough valid SCTs to comply.
NotEnoughScts,
// The connection had enough valid SCTs, but the diversity requirement
// was not met (the number of CT log operators independent of the CA
// and of each other is too low).
NotDiverseScts,
};
// Checks the collected verified SCTs for compliance with the CT policy.
// The policy is based on Chrome's policy as described here:
// https://googlechrome.github.io/CertificateTransparency/ct_policy.html
// This policy (as well as Chrome's), is very similar to Apple's:
// https://support.apple.com/en-us/103214
// Essentially, the policy can be satisfied in two ways, depending on the
// source of the collected SCTs.
// For embedded SCTs, at least one must be from a log that was Admissible
// (Qualified, Usable, or ReadOnly) at the time of the check. There must be
// SCTs from N distinct logs that were Admissible or Retired at the time of the
// check, where N depends on the lifetime of the certificate. If the
// certificate lifetime is less than or equal to 180 days, N is 2. Otherwise, N
// is 3. Among these SCTs, at least two must be issued from distinct log
// operators.
// For SCTs delivered via the TLS handshake or an OCSP response, at least two
// must be from a log that was Admissible at the time of the check. Among these
// SCTs, at least two must be issued from distinct log operators.
//
// |verifiedSct| - SCTs present on the connection along with their verification
// status.
// |certLifetime| - certificate lifetime, based on the notBefore/notAfter
// fields.
CTPolicyCompliance CheckCTPolicyCompliance(const VerifiedSCTList& verifiedScts,
pkix::Duration certLifetime);
} // namespace ct
} // namespace mozilla
#endif // CTPolicyEnforcer_h
View git blame Copy permalink