security/ct/CTPolicyEnforcer.h

   1 /* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
   2 /* vim: set ts=8 sts=2 et sw=2 tw=80: */
   3 /* This Source Code Form is subject to the terms of the Mozilla Public
   4  * License, v. 2.0. If a copy of the MPL was not distributed with this
   5  * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
   6
   7 #ifndef CTPolicyEnforcer_h
   8 #define CTPolicyEnforcer_h
   9
  10 #include "CTLog.h"
  11 #include "CTVerifyResult.h"
  12 #include "mozpkix/Result.h"
  13
  14 namespace mozilla {
  15 namespace ct {
  16
  17 // Information about the compliance of the TLS connection with the
  18 // Certificate Transparency policy.
  19 enum class CTPolicyCompliance {
  20   // Compliance not checked or not applicable.
  21   Unknown,
  22   // The connection complied with the certificate policy
  23   // by including SCTs that satisfy the policy.
  24   Compliant,
  25   // The connection did not have enough valid SCTs to comply.
  26   NotEnoughScts,
  27   // The connection had enough valid SCTs, but the diversity requirement
  28   // was not met (the number of CT log operators independent of the CA
  29   // and of each other is too low).
  30   NotDiverseScts,
  31 };
  32
  33 // Checks whether a TLS connection complies with the current CT policy.
  34 // The implemented policy is based on the Mozilla CT Policy draft 0.1.0
  35 // (see https://docs.google.com/document/d/
  36 // 1rnqYYwscAx8WhS-MCdTiNzYQus9e37HuVyafQvEeNro/edit).
  37 //
  38 // NOTE: CT DIVERSITY REQUIREMENT IS TBD, PENDING FINALIZATION
  39 // OF MOZILLA CT POLICY. Specifically:
  40 // 1. CT log operators being CA-dependent is not currently taken into account
  41 // (see CTDiversityPolicy.h).
  42 // 2. The preexisting certificate exception provision of the operator diversity
  43 // requirement is not implemented (see "CT Qualified" section of the policy and
  44 // CheckOperatorDiversityCompliance in CTPolicyEnforcer.cpp).
  45 class CTPolicyEnforcer {
  46  public:
  47   // |verifiedSct| - SCTs present on the connection along with their
  48   // verification status.
  49   // |certLifetimeInCalendarMonths| - certificate lifetime in full calendar
  50   // months (i.e. rounded down), based on the notBefore/notAfter fields.
  51   // |dependentOperators| - which CT log operators are dependent on the CA
  52   // that issued the certificate. SCTs issued by logs associated with such
  53   // operators are treated differenly when evaluating the policy.
  54   // See CTDiversityPolicy class.
  55   // |compliance| - the result of the compliance check.
  56   void CheckCompliance(const VerifiedSCTList& verifiedScts,
  57                        size_t certLifetimeInCalendarMonths,
  58                        const CTLogOperatorList& dependentOperators,
  59                        CTPolicyCompliance& compliance);
  60 };
  61
  62 }  // namespace ct
  63 }  // namespace mozilla
  64
  65 #endif  // CTPolicyEnforcer_h