1 // Copyright 2011 The Chromium Authors 2 // Use of this source code is governed by a BSD-style license that can be 3 // found in the LICENSE file. 4 5 #ifndef NET_CERT_CERT_VERIFY_RESULT_H_ 6 #define NET_CERT_CERT_VERIFY_RESULT_H_ 7 8 #include "base/memory/scoped_refptr.h" 9 #include "base/values.h" 10 #include "net/base/hash_value.h" 11 #include "net/base/net_export.h" 12 #include "net/cert/cert_status_flags.h" 13 #include "net/cert/ct_policy_status.h" 14 #include "net/cert/signed_certificate_timestamp_and_status.h" 15 #include "third_party/boringssl/src/pki/ocsp_verify_result.h" 16 17 namespace ct { 18 enum class CTPolicyCompliance; 19 } // namespace ct 20 21 namespace net { 22 23 class X509Certificate; 24 25 // The result of certificate verification. 26 class NET_EXPORT CertVerifyResult { 27 public: 28 CertVerifyResult(); 29 CertVerifyResult(const CertVerifyResult& other); 30 ~CertVerifyResult(); 31 32 void Reset(); 33 34 // Creates NetLog parameter to describe the CertVerifyResult. |net_error| is 35 // a net error code to include in the params, if non-zero. It must not be 36 // ERR_IO_PENDING, as that is not a true error. 37 base::Value::Dict NetLogParams(int net_error) const; 38 39 // The certificate chain that was constructed during verification. 40 // 41 // Note: Although |verified_cert| will match the originally supplied 42 // certificate to be validated, the results of intermediate_buffers() 43 // may be substantially different, both in order and in content, then the 44 // originally supplied intermediates. 45 // 46 // In the event of validation failures, this may contain the originally 47 // supplied certificate chain or a partially constructed path, depending on 48 // the implementation. 49 // 50 // In the event of validation success, the trust anchor will be 51 // |verified_cert->intermediate_buffers().back()| if 52 // there was a certificate chain to the trust anchor, and will 53 // be |verified_cert->cert_buffer()| if the certificate was 54 // the trust anchor. 55 scoped_refptr<X509Certificate> verified_cert; 56 57 // Bitmask of CERT_STATUS_* from net/cert/cert_status_flags.h. Note that 58 // these status flags apply to the certificate chain returned in 59 // |verified_cert|, rather than the originally supplied certificate 60 // chain. 61 CertStatus cert_status; 62 63 // Hash algorithms used by the certificate chain, excluding the trust 64 // anchor. 65 bool has_sha1; 66 67 // If the certificate was successfully verified then this contains the 68 // hashes for all of the SubjectPublicKeyInfos of the chain (target, 69 // intermediates, and trust anchor) 70 // 71 // The ordering of the hashes in this vector is unspecified. Both the SHA1 72 // and SHA256 hash will be present for each certificate. 73 HashValueVector public_key_hashes; 74 75 // is_issued_by_known_root is true if we recognise the root CA as a standard 76 // root. If it isn't then it's probably the case that this certificate was 77 // generated by a MITM proxy whose root has been installed locally. This is 78 // meaningless if the certificate was not trusted. 79 bool is_issued_by_known_root; 80 81 // is_issued_by_additional_trust_anchor is true if the root CA used for this 82 // verification came from the list of additional trust anchors. 83 bool is_issued_by_additional_trust_anchor; 84 85 // Verification of stapled OCSP response, if present. 86 bssl::OCSPVerifyResult ocsp_result; 87 88 // `scts` contains the result of verifying any provided or embedded SCTs for 89 // this certificate against the set of known logs. Consumers should not simply 90 // check this for the presence of a successfully verified SCT to determine CT 91 // compliance. Instead look at `policy_compliance`. 92 SignedCertificateTimestampAndStatusList scts; 93 94 // The result of evaluating whether the certificate complies with the 95 // Certificate Transparency policy. 96 ct::CTPolicyCompliance policy_compliance; 97 }; 98 99 } // namespace net 100 101 #endif // NET_CERT_CERT_VERIFY_RESULT_H_ 102