CTPolicyEnforcer.h (2582B)
1 /* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */ 2 /* vim: set ts=8 sts=2 et sw=2 tw=80: */ 3 /* This Source Code Form is subject to the terms of the Mozilla Public 4 * License, v. 2.0. If a copy of the MPL was not distributed with this 5 * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ 6 7 #ifndef CTPolicyEnforcer_h 8 #define CTPolicyEnforcer_h 9 10 #include "CTLog.h" 11 #include "CTVerifyResult.h" 12 #include "mozpkix/Result.h" 13 #include "mozpkix/Time.h" 14 15 namespace mozilla { 16 namespace ct { 17 18 // A helper enum to describe the result of running CheckCTPolicyCompliance on a 19 // collection of verified SCTs. 20 enum class CTPolicyCompliance { 21 // The connection complied with the certificate policy 22 // by including SCTs that satisfy the policy. 23 Compliant, 24 // The connection did not have enough valid SCTs to comply. 25 NotEnoughScts, 26 // The connection had enough valid SCTs, but the diversity requirement 27 // was not met (the number of CT log operators independent of the CA 28 // and of each other is too low). 29 NotDiverseScts, 30 }; 31 32 // Checks the collected verified SCTs for compliance with the CT policy. 33 // The policy is based on Chrome's policy as described here: 34 // https://googlechrome.github.io/CertificateTransparency/ct_policy.html 35 // This policy (as well as Chrome's), is very similar to Apple's: 36 // https://support.apple.com/en-us/103214 37 // Essentially, the policy can be satisfied in two ways, depending on the 38 // source of the collected SCTs. 39 // For embedded SCTs, at least one must be from a log that was Admissible 40 // (Qualified, Usable, or ReadOnly) at the time of the check. There must be 41 // SCTs from N distinct logs that were Admissible or Retired at the time of the 42 // check, where N depends on the lifetime of the certificate. If the 43 // certificate lifetime is less than or equal to 180 days, N is 2. Otherwise, N 44 // is 3. Among these SCTs, at least two must be issued from distinct log 45 // operators. 46 // For SCTs delivered via the TLS handshake or an OCSP response, at least two 47 // must be from a log that was Admissible at the time of the check. Among these 48 // SCTs, at least two must be issued from distinct log operators. 49 // 50 // |verifiedSct| - SCTs present on the connection along with their verification 51 // status. 52 // |certLifetime| - certificate lifetime, based on the notBefore/notAfter 53 // fields. 54 CTPolicyCompliance CheckCTPolicyCompliance(const VerifiedSCTList& verifiedScts, 55 pkix::Duration certLifetime); 56 57 } // namespace ct 58 } // namespace mozilla 59 60 #endif // CTPolicyEnforcer_h