xref: /aosp_15_r20/external/cronet/net/cert/multi_log_ct_verifier.h (revision 6777b5387eb2ff775bb5750e3f5d96f37fb7352b) 
1 // Copyright 2013 The Chromium Authors
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
4 
5 #ifndef NET_CERT_MULTI_LOG_CT_VERIFIER_H_
6 #define NET_CERT_MULTI_LOG_CT_VERIFIER_H_
7 
8 #include <map>
9 #include <string>
10 #include <string_view>
11 
12 #include "base/memory/scoped_refptr.h"
13 #include "net/base/net_export.h"
14 #include "net/cert/ct_verifier.h"
15 #include "net/cert/signed_certificate_timestamp.h"
16 
17 namespace net {
18 
19 namespace ct {
20 struct SignedEntryData;
21 }  // namespace ct
22 
23 class CTLogVerifier;
24 
25 // A Certificate Transparency verifier that can verify Signed Certificate
26 // Timestamps from multiple logs.
27 // It must be initialized with a list of logs by calling AddLogs.
28 class NET_EXPORT MultiLogCTVerifier : public CTVerifier {
29  public:
30   explicit MultiLogCTVerifier(
31       const std::vector<scoped_refptr<const CTLogVerifier>>& log_verifiers);
32 
33   MultiLogCTVerifier(const MultiLogCTVerifier&) = delete;
34   MultiLogCTVerifier& operator=(const MultiLogCTVerifier&) = delete;
35 
36   ~MultiLogCTVerifier() override;
37 
38   // CTVerifier implementation:
39   void Verify(X509Certificate* cert,
40               std::string_view stapled_ocsp_response,
41               std::string_view sct_list_from_tls_extension,
42               SignedCertificateTimestampAndStatusList* output_scts,
43               const NetLogWithSource& net_log) const override;
44 
45  private:
46   // Verify a list of SCTs from |encoded_sct_list| over |expected_entry|,
47   // placing the verification results in |output_scts|. The SCTs in the list
48   // come from |origin| (as will be indicated in the origin field of each SCT).
49   void VerifySCTs(std::string_view encoded_sct_list,
50                   const ct::SignedEntryData& expected_entry,
51                   ct::SignedCertificateTimestamp::Origin origin,
52                   X509Certificate* cert,
53                   SignedCertificateTimestampAndStatusList* output_scts) const;
54 
55   // Verifies a single, parsed SCT against all logs.
56   bool VerifySingleSCT(
57       scoped_refptr<ct::SignedCertificateTimestamp> sct,
58       const ct::SignedEntryData& expected_entry,
59       X509Certificate* cert,
60       SignedCertificateTimestampAndStatusList* output_scts) const;
61 
62   // Mapping from a log's ID to the verifier for this log.
63   // A log's ID is the SHA-256 of the log's key, as defined in section 3.2.
64   // of RFC6962.
65   const std::map<std::string, scoped_refptr<const CTLogVerifier>> logs_;
66 };
67 
68 }  // namespace net
69 
70 #endif  // NET_CERT_MULTI_LOG_CT_VERIFIER_H_
71