diff options
Diffstat (limited to 'security/ct/CTPolicyEnforcer.h')
| -rw-r--r-- | security/ct/CTPolicyEnforcer.h | 65 |
1 files changed, 65 insertions, 0 deletions
diff --git a/security/ct/CTPolicyEnforcer.h b/security/ct/CTPolicyEnforcer.h new file mode 100644 index 0000000000..0cbbec642f --- /dev/null +++ b/security/ct/CTPolicyEnforcer.h @@ -0,0 +1,65 @@ +/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */ +/* vim: set ts=8 sts=2 et sw=2 tw=80: */ +/* This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ + +#ifndef CTPolicyEnforcer_h +#define CTPolicyEnforcer_h + +#include "CTLog.h" +#include "CTVerifyResult.h" +#include "mozpkix/Result.h" + +namespace mozilla { +namespace ct { + +// Information about the compliance of the TLS connection with the +// Certificate Transparency policy. +enum class CTPolicyCompliance { + // Compliance not checked or not applicable. + Unknown, + // The connection complied with the certificate policy + // by including SCTs that satisfy the policy. + Compliant, + // The connection did not have enough valid SCTs to comply. + NotEnoughScts, + // The connection had enough valid SCTs, but the diversity requirement + // was not met (the number of CT log operators independent of the CA + // and of each other is too low). + NotDiverseScts, +}; + +// Checks whether a TLS connection complies with the current CT policy. +// The implemented policy is based on the Mozilla CT Policy draft 0.1.0 +// (see https://docs.google.com/document/d/ +// 1rnqYYwscAx8WhS-MCdTiNzYQus9e37HuVyafQvEeNro/edit). +// +// NOTE: CT DIVERSITY REQUIREMENT IS TBD, PENDING FINALIZATION +// OF MOZILLA CT POLICY. Specifically: +// 1. CT log operators being CA-dependent is not currently taken into account +// (see CTDiversityPolicy.h). +// 2. The preexisting certificate exception provision of the operator diversity +// requirement is not implemented (see "CT Qualified" section of the policy and +// CheckOperatorDiversityCompliance in CTPolicyEnforcer.cpp). +class CTPolicyEnforcer { + public: + // |verifiedSct| - SCTs present on the connection along with their + // verification status. + // |certLifetimeInCalendarMonths| - certificate lifetime in full calendar + // months (i.e. rounded down), based on the notBefore/notAfter fields. + // |dependentOperators| - which CT log operators are dependent on the CA + // that issued the certificate. SCTs issued by logs associated with such + // operators are treated differenly when evaluating the policy. + // See CTDiversityPolicy class. + // |compliance| - the result of the compliance check. + void CheckCompliance(const VerifiedSCTList& verifiedScts, + size_t certLifetimeInCalendarMonths, + const CTLogOperatorList& dependentOperators, + CTPolicyCompliance& compliance); +}; + +} // namespace ct +} // namespace mozilla + +#endif // CTPolicyEnforcer_h |