1 /* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
2 /* vim: set ts=8 sts=2 et sw=2 tw=80: */
3 /* This Source Code Form is subject to the terms of the Mozilla Public
4 * License, v. 2.0. If a copy of the MPL was not distributed with this
5 * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
7 #ifndef MultiLogCTVerifier_h
8 #define MultiLogCTVerifier_h
12 #include "CTLogVerifier.h"
13 #include "CTVerifyResult.h"
14 #include "mozpkix/Input.h"
15 #include "mozpkix/Result.h"
16 #include "mozpkix/Time.h"
17 #include "SignedCertificateTimestamp.h"
22 // A Certificate Transparency verifier that can verify Signed Certificate
23 // Timestamps from multiple logs.
24 class MultiLogCTVerifier
{
26 // Adds a new log to the list of known logs to verify against.
27 void AddLog(CTLogVerifier
&& log
);
29 // Verifies SCTs embedded in the certificate itself, SCTs embedded in a
30 // stapled OCSP response, and SCTs obtained via the
31 // signed_certificate_timestamp TLS extension on the given |cert|.
33 // A certificate is permitted but not required to use multiple sources for
34 // SCTs. It is expected that most certificates will use only one source
35 // (embedding, TLS extension or OCSP stapling).
37 // The verifier stops on fatal errors (such as out of memory or invalid
38 // DER encoding of |cert|), but it does not stop on SCT decoding errors. See
39 // CTVerifyResult for more details.
41 // The internal state of the verifier object is not modified
42 // during the verification process.
44 // |cert| DER-encoded certificate to be validated using the provided SCTs.
45 // |sctListFromCert| SCT list embedded in |cert|, empty if not present.
46 // |issuerSubjectPublicKeyInfo| SPKI of |cert|'s issuer. Can be empty,
47 // in which case the embedded SCT list
49 // |sctListFromOCSPResponse| SCT list included in a stapled OCSP response
50 // for |cert|. Empty if not available.
51 // |sctListFromTLSExtension| is the SCT list from the TLS extension. Empty
52 // if no extension was present.
53 // |time| the current time. Used to make sure SCTs are not in the future.
54 // |result| will be filled with the SCTs present, divided into categories
55 // based on the verification result.
56 pkix::Result
Verify(pkix::Input cert
, pkix::Input issuerSubjectPublicKeyInfo
,
57 pkix::Input sctListFromCert
,
58 pkix::Input sctListFromOCSPResponse
,
59 pkix::Input sctListFromTLSExtension
, pkix::Time time
,
60 CTVerifyResult
& result
);
63 // Verifies a list of SCTs from |encodedSctList| over |expectedEntry|,
64 // placing the verification results in |result|. The SCTs in the list
65 // come from |origin| (as will be reflected in the origin field of each SCT).
66 pkix::Result
VerifySCTs(pkix::Input encodedSctList
,
67 const LogEntry
& expectedEntry
,
68 VerifiedSCT::Origin origin
, pkix::Time time
,
69 CTVerifyResult
& result
);
71 // Verifies a single, parsed SCT against all known logs.
72 // Note: moves |sct| to the target list in |result|, invalidating |sct|.
73 pkix::Result
VerifySingleSCT(SignedCertificateTimestamp
&& sct
,
74 const ct::LogEntry
& expectedEntry
,
75 VerifiedSCT::Origin origin
, pkix::Time time
,
76 CTVerifyResult
& result
);
78 // The list of known logs.
79 std::vector
<CTLogVerifier
> mLogs
;
83 } // namespace mozilla
85 #endif // MultiLogCTVerifier_h