xref: /aosp_15_r20/external/cronet/net/cert/ct_policy_enforcer.h (revision 6777b5387eb2ff775bb5750e3f5d96f37fb7352b) 
1 // Copyright 2014 The Chromium Authors
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
4 
5 #ifndef NET_CERT_CT_POLICY_ENFORCER_H_
6 #define NET_CERT_CT_POLICY_ENFORCER_H_
7 
8 #include <optional>
9 #include <string_view>
10 
11 #include <stddef.h>
12 
13 #include "base/memory/ref_counted.h"
14 #include "net/base/net_export.h"
15 #include "net/cert/signed_certificate_timestamp.h"
16 
17 namespace net {
18 
19 class NetLogWithSource;
20 
21 namespace ct {
22 enum class CTPolicyCompliance;
23 }  // namespace ct
24 
25 class X509Certificate;
26 
27 // Interface for checking whether or not a given certificate conforms to any
28 // policies an application may have regarding Certificate Transparency.
29 //
30 // See //net/docs/certificate-transparency.md for more details regarding the
31 // usage of CT in //net and risks that may exist when defining a CT policy.
32 class NET_EXPORT CTPolicyEnforcer
33     : public base::RefCountedThreadSafe<CTPolicyEnforcer> {
34  public:
35   // Returns the CT certificate policy compliance status for a given
36   // certificate and collection of SCTs.
37   // |cert| is the certificate for which to check compliance, and
38   // ||verified_scts| contains any/all SCTs associated with |cert| that
39   // |have been verified (well-formed, issued by known logs, and
40   // |applying to |cert|).
41   virtual ct::CTPolicyCompliance CheckCompliance(
42       X509Certificate* cert,
43       const ct::SCTList& verified_scts,
44       const NetLogWithSource& net_log) const = 0;
45 
46   // Returns the timestamp that the log identified by |log_id| (the SHA-256
47   // hash of the log's DER-encoded SPKI) has been disqualified, or nullopt if
48   // the log has not been disqualified.
49   // Any SCTs that are embedded in certificates issued after the
50   // disqualification time should not be trusted, nor contribute to any
51   // uniqueness or freshness
52   virtual std::optional<base::Time> GetLogDisqualificationTime(
53       std::string_view log_id) const = 0;
54 
55   // Returns true if Certificate Transparency enforcement is enabled.
56   virtual bool IsCtEnabled() const = 0;
57 
58  protected:
59   virtual ~CTPolicyEnforcer() = default;
60 
61  private:
62   friend class base::RefCountedThreadSafe<CTPolicyEnforcer>;
63 };
64 
65 // A default implementation of Certificate Transparency policies that is
66 // intended for use in applications without auto-update capabilities.
67 //
68 // See //net/docs/certificate-transparency.md for more details.
69 class NET_EXPORT DefaultCTPolicyEnforcer : public net::CTPolicyEnforcer {
70  public:
71   DefaultCTPolicyEnforcer() = default;
72 
73   ct::CTPolicyCompliance CheckCompliance(
74       X509Certificate* cert,
75       const ct::SCTList& verified_scts,
76       const NetLogWithSource& net_log) const override;
77 
78   std::optional<base::Time> GetLogDisqualificationTime(
79       std::string_view log_id) const override;
80 
81   bool IsCtEnabled() const override;
82 
83  protected:
84   ~DefaultCTPolicyEnforcer() override = default;
85 };
86 
87 }  // namespace net
88 
89 #endif  // NET_CERT_CT_POLICY_ENFORCER_H_
90