tor-browser

The Tor Browser
git clone https://git.dasho.dev/tor-browser.git
Log | Files | Refs | README | LICENSE

CTVerifyResult.h (2768B)

      1 /* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
      2 /* vim: set ts=8 sts=2 et sw=2 tw=80: */
      3 /* This Source Code Form is subject to the terms of the Mozilla Public
      4 * License, v. 2.0. If a copy of the MPL was not distributed with this
      5 * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
      6 
      7 #ifndef CTVerifyResult_h
      8 #define CTVerifyResult_h
      9 
     10 #include <vector>
     11 
     12 #include "CTKnownLogs.h"
     13 #include "CTLog.h"
     14 #include "SignedCertificateTimestamp.h"
     15 
     16 namespace mozilla {
     17 namespace ct {
     18 
     19 enum class SCTOrigin {
     20  Embedded,
     21  TLSExtension,
     22  OCSPResponse,
     23 };
     24 
     25 // Holds a verified Signed Certificate Timestamp along with the verification
     26 // status (e.g. valid/invalid) and additional information related to the
     27 // verification.
     28 struct VerifiedSCT {
     29  VerifiedSCT(SignedCertificateTimestamp&& sct, SCTOrigin origin,
     30              CTLogOperatorId logOperatorId, CTLogState logState,
     31              CTLogFormat logFormat, uint64_t logTimestamp);
     32 
     33  // The original SCT.
     34  SignedCertificateTimestamp sct;
     35  SCTOrigin origin;
     36  CTLogOperatorId logOperatorId;
     37  CTLogState logState;
     38  CTLogFormat logFormat;
     39  uint64_t logTimestamp;
     40 };
     41 
     42 typedef std::vector<VerifiedSCT> VerifiedSCTList;
     43 
     44 // Holds Signed Certificate Timestamps verification results.
     45 class CTVerifyResult {
     46 public:
     47  CTVerifyResult() { Reset(); }
     48 
     49  // SCTs that were processed during the verification along with their
     50  // verification results.
     51  VerifiedSCTList verifiedScts;
     52 
     53  // The verifier makes the best effort to extract the available SCTs
     54  // from the binary sources provided to it.
     55  // If some SCT cannot be extracted due to encoding errors, the verifier
     56  // proceeds to the next available one. In other words, decoding errors are
     57  // effectively ignored.
     58  // Note that a serialized SCT may fail to decode for a "legitimate" reason,
     59  // e.g. if the SCT is from a future version of the Certificate Transparency
     60  // standard.
     61  // |decodingErrors| field counts the errors of the above kind.
     62  size_t decodingErrors;
     63  // The number of SCTs encountered from unknown logs.
     64  size_t sctsFromUnknownLogs;
     65  // The number of SCTs encountered with invalid signatures.
     66  size_t sctsWithInvalidSignatures;
     67  // The number of SCTs encountered with timestamps in the future.
     68  size_t sctsWithInvalidTimestamps;
     69  // The number of SCTs encountered with timestamps past a root's distrust
     70  // after date.
     71  size_t sctsWithDistrustedTimestamps;
     72 
     73  // The number of SCTs that were embedded in the certificate.
     74  size_t embeddedSCTs;
     75  // The number of SCTs included in the TLS handshake.
     76  size_t sctsFromTLSHandshake;
     77  // The number of SCTs delivered via OCSP.
     78  size_t sctsFromOCSP;
     79 
     80  void Reset();
     81 };
     82 
     83 }  // namespace ct
     84 }  // namespace mozilla
     85 
     86 #endif  // CTVerifyResult_h