2017-01-09 09:22:28 +03:00
|
|
|
/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
|
|
|
|
|
/* vim: set ts=8 sts=2 et sw=2 tw=80: */
|
|
|
|
|
/* This Source Code Form is subject to the terms of the Mozilla Public
|
|
|
|
|
* License, v. 2.0. If a copy of the MPL was not distributed with this
|
|
|
|
|
* file, You can obtain one at http://mozilla.org/MPL/2.0/. */
|
|
|
|
|
|
|
|
|
|
#ifndef CTPolicyEnforcer_h
|
|
|
|
|
#define CTPolicyEnforcer_h
|
|
|
|
|
|
|
|
|
|
#include "CTLog.h"
|
|
|
|
|
#include "CTVerifyResult.h"
|
2018-10-02 15:59:34 +03:00
|
|
|
#include "mozpkix/Result.h"
|
2017-01-09 09:22:28 +03:00
|
|
|
|
|
|
|
|
namespace mozilla {
|
|
|
|
|
namespace ct {
|
|
|
|
|
|
|
|
|
|
// Information about the compliance of the TLS connection with the
|
|
|
|
|
// Certificate Transparency policy.
|
|
|
|
|
enum class CTPolicyCompliance {
|
|
|
|
|
// Compliance not checked or not applicable.
|
|
|
|
|
Unknown,
|
|
|
|
|
// The connection complied with the certificate policy
|
|
|
|
|
// by including SCTs that satisfy the policy.
|
|
|
|
|
Compliant,
|
|
|
|
|
// The connection did not have enough valid SCTs to comply.
|
|
|
|
|
NotEnoughScts,
|
|
|
|
|
// The connection had enough valid SCTs, but the diversity requirement
|
|
|
|
|
// was not met (the number of CT log operators independent of the CA
|
|
|
|
|
// and of each other is too low).
|
|
|
|
|
NotDiverseScts,
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
// Checks whether a TLS connection complies with the current CT policy.
|
|
|
|
|
// The implemented policy is based on the Mozilla CT Policy draft 0.1.0
|
|
|
|
|
// (see https://docs.google.com/document/d/
|
|
|
|
|
// 1rnqYYwscAx8WhS-MCdTiNzYQus9e37HuVyafQvEeNro/edit).
|
|
|
|
|
//
|
|
|
|
|
// NOTE: CT DIVERSITY REQUIREMENT IS TBD, PENDING FINALIZATION
|
|
|
|
|
// OF MOZILLA CT POLICY. Specifically:
|
|
|
|
|
// 1. CT log operators being CA-dependent is not currently taken into account
|
|
|
|
|
// (see CTDiversityPolicy.h).
|
2020-07-01 18:23:26 +03:00
|
|
|
// 2. The preexisting certificate exception provision of the operator diversity
|
|
|
|
|
// requirement is not implemented (see "CT Qualified" section of the policy and
|
2017-01-09 09:22:28 +03:00
|
|
|
// CheckOperatorDiversityCompliance in CTPolicyEnforcer.cpp).
|
|
|
|
|
class CTPolicyEnforcer {
|
|
|
|
|
public:
|
|
|
|
|
// |verifiedSct| - SCTs present on the connection along with their
|
|
|
|
|
// verification status.
|
|
|
|
|
// |certLifetimeInCalendarMonths| - certificate lifetime in full calendar
|
|
|
|
|
// months (i.e. rounded down), based on the notBefore/notAfter fields.
|
|
|
|
|
// |dependentOperators| - which CT log operators are dependent on the CA
|
|
|
|
|
// that issued the certificate. SCTs issued by logs associated with such
|
|
|
|
|
// operators are treated differenly when evaluating the policy.
|
|
|
|
|
// See CTDiversityPolicy class.
|
|
|
|
|
// |compliance| - the result of the compliance check.
|
2018-10-01 23:27:13 +03:00
|
|
|
void CheckCompliance(const VerifiedSCTList& verifiedScts,
|
|
|
|
|
size_t certLifetimeInCalendarMonths,
|
|
|
|
|
const CTLogOperatorList& dependentOperators,
|
|
|
|
|
CTPolicyCompliance& compliance);
|
2017-01-09 09:22:28 +03:00
|
|
|
};
|
|
|
|
|
|
|
|
|
|
} // namespace ct
|
|
|
|
|
} // namespace mozilla
|
|
|
|
|
|
|
|
|
|
#endif // CTPolicyEnforcer_h
|
