1 /* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
2 /* vim: set ts=8 sts=2 et sw=2 tw=80: */
3 /* This Source Code Form is subject to the terms of the Mozilla Public
4 * License, v. 2.0. If a copy of the MPL was not distributed with this
5 * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
7 #ifndef MultiLogCTVerifier_h
8 #define MultiLogCTVerifier_h
12 #include "CTLogVerifier.h"
13 #include "CTVerifyResult.h"
14 #include "mozpkix/Input.h"
15 #include "mozpkix/Result.h"
16 #include "mozpkix/Time.h"
17 #include "SignedCertificateTimestamp.h"
22 void DecodeSCTs(pkix::Input encodedSctList
,
23 std::vector
<SignedCertificateTimestamp
>& decodedSCTs
,
24 size_t& decodingErrors
);
26 // A Certificate Transparency verifier that can verify Signed Certificate
27 // Timestamps from multiple logs.
28 class MultiLogCTVerifier
{
30 // Adds a new log to the list of known logs to verify against.
31 void AddLog(CTLogVerifier
&& log
);
33 // Verifies SCTs embedded in the certificate itself, SCTs embedded in a
34 // stapled OCSP response, and SCTs obtained via the
35 // signed_certificate_timestamp TLS extension on the given |cert|.
37 // A certificate is permitted but not required to use multiple sources for
38 // SCTs. It is expected that most certificates will use only one source
39 // (embedding, TLS extension or OCSP stapling).
41 // The verifier stops on fatal errors (such as out of memory or invalid
42 // DER encoding of |cert|), but it does not stop on SCT decoding errors. See
43 // CTVerifyResult for more details.
45 // The internal state of the verifier object is not modified
46 // during the verification process.
48 // |cert| DER-encoded certificate to be validated using the provided SCTs.
49 // |sctListFromCert| SCT list embedded in |cert|, empty if not present.
50 // |issuerSubjectPublicKeyInfo| SPKI of |cert|'s issuer. Can be empty,
51 // in which case the embedded SCT list
53 // |sctListFromOCSPResponse| SCT list included in a stapled OCSP response
54 // for |cert|. Empty if not available.
55 // |sctListFromTLSExtension| is the SCT list from the TLS extension. Empty
56 // if no extension was present.
57 // |time| the current time. Used to make sure SCTs are not in the future.
58 // |result| will be filled with the SCTs present, divided into categories
59 // based on the verification result.
60 pkix::Result
Verify(pkix::Input cert
, pkix::Input issuerSubjectPublicKeyInfo
,
61 pkix::Input sctListFromCert
,
62 pkix::Input sctListFromOCSPResponse
,
63 pkix::Input sctListFromTLSExtension
, pkix::Time time
,
64 CTVerifyResult
& result
);
67 // Verifies a list of SCTs from |encodedSctList| over |expectedEntry|,
68 // placing the verification results in |result|. The SCTs in the list
69 // come from |origin| (as will be reflected in the origin field of each SCT).
70 pkix::Result
VerifySCTs(pkix::Input encodedSctList
,
71 const LogEntry
& expectedEntry
,
72 VerifiedSCT::Origin origin
, pkix::Time time
,
73 CTVerifyResult
& result
);
75 // Verifies a single, parsed SCT against all known logs.
76 // Note: moves |sct| to the target list in |result|, invalidating |sct|.
77 pkix::Result
VerifySingleSCT(SignedCertificateTimestamp
&& sct
,
78 const ct::LogEntry
& expectedEntry
,
79 VerifiedSCT::Origin origin
, pkix::Time time
,
80 CTVerifyResult
& result
);
82 // The list of known logs.
83 std::vector
<CTLogVerifier
> mLogs
;
87 } // namespace mozilla
89 #endif // MultiLogCTVerifier_h