/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
/* vim: set ts=8 sts=2 et sw=2 tw=80: */
/* This Source Code Form is subject to the terms of the Mozilla Public
 * License, v. 2.0. If a copy of the MPL was not distributed with this
 * file, You can obtain one at http://mozilla.org/MPL/2.0/. */

#ifndef CTPolicyEnforcer_h
#define CTPolicyEnforcer_h

#include "CTLog.h"
#include "CTVerifyResult.h"
#include "mozpkix/Result.h"

namespace mozilla {
namespace ct {

// Information about the compliance of the TLS connection with the
// Certificate Transparency policy.
enum class CTPolicyCompliance {
  // Compliance not checked or not applicable.
  Unknown,
  // The connection complied with the certificate policy
  // by including SCTs that satisfy the policy.
  Compliant,
  // The connection did not have enough valid SCTs to comply.
  NotEnoughScts,
  // The connection had enough valid SCTs, but the diversity requirement
  // was not met (the number of CT log operators independent of the CA
  // and of each other is too low).
  NotDiverseScts,
};

// Checks whether a TLS connection complies with the current CT policy.
// The implemented policy is based on the Mozilla CT Policy draft 0.1.0
// (see https://docs.google.com/document/d/
// 1rnqYYwscAx8WhS-MCdTiNzYQus9e37HuVyafQvEeNro/edit).
//
// NOTE: CT DIVERSITY REQUIREMENT IS TBD, PENDING FINALIZATION
// OF MOZILLA CT POLICY. Specifically:
// 1. CT log operators being CA-dependent is not currently taken into account
// (see CTDiversityPolicy.h).
// 2. The preexisting certificate exception provision of the operator diversity
// requirement is not implemented (see "CT Qualified" section of the policy and
// CheckOperatorDiversityCompliance in CTPolicyEnforcer.cpp).
class CTPolicyEnforcer {
 public:
  // |verifiedSct| - SCTs present on the connection along with their
  // verification status.
  // |certLifetimeInCalendarMonths| - certificate lifetime in full calendar
  // months (i.e. rounded down), based on the notBefore/notAfter fields.
  // |dependentOperators| - which CT log operators are dependent on the CA
  // that issued the certificate. SCTs issued by logs associated with such
  // operators are treated differenly when evaluating the policy.
  // See CTDiversityPolicy class.
  // |compliance| - the result of the compliance check.
  void CheckCompliance(const VerifiedSCTList& verifiedScts,
                       size_t certLifetimeInCalendarMonths,
                       const CTLogOperatorList& dependentOperators,
                       CTPolicyCompliance& compliance);
};

}  // namespace ct
}  // namespace mozilla

#endif  // CTPolicyEnforcer_h