1 /* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */ 2 /* vim: set ts=8 sts=2 et sw=2 tw=80: */ 3 /* This Source Code Form is subject to the terms of the Mozilla Public 4 * License, v. 2.0. If a copy of the MPL was not distributed with this 5 * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ 6 7 #ifndef CTPolicyEnforcer_h 8 #define CTPolicyEnforcer_h 9 10 #include "CTLog.h" 11 #include "CTVerifyResult.h" 12 #include "mozpkix/Result.h" 13 14 namespace mozilla { 15 namespace ct { 16 17 // Information about the compliance of the TLS connection with the 18 // Certificate Transparency policy. 19 enum class CTPolicyCompliance { 20 // Compliance not checked or not applicable. 21 Unknown, 22 // The connection complied with the certificate policy 23 // by including SCTs that satisfy the policy. 24 Compliant, 25 // The connection did not have enough valid SCTs to comply. 26 NotEnoughScts, 27 // The connection had enough valid SCTs, but the diversity requirement 28 // was not met (the number of CT log operators independent of the CA 29 // and of each other is too low). 30 NotDiverseScts, 31 }; 32 33 // Checks whether a TLS connection complies with the current CT policy. 34 // The implemented policy is based on the Mozilla CT Policy draft 0.1.0 35 // (see https://docs.google.com/document/d/ 36 // 1rnqYYwscAx8WhS-MCdTiNzYQus9e37HuVyafQvEeNro/edit). 37 // 38 // NOTE: CT DIVERSITY REQUIREMENT IS TBD, PENDING FINALIZATION 39 // OF MOZILLA CT POLICY. Specifically: 40 // 1. CT log operators being CA-dependent is not currently taken into account 41 // (see CTDiversityPolicy.h). 42 // 2. The grandfathering provision of the operator diversity requirement 43 // is not implemented (see "CT Qualified" section of the policy and 44 // CheckOperatorDiversityCompliance in CTPolicyEnforcer.cpp). 45 class CTPolicyEnforcer { 46 public: 47 // |verifiedSct| - SCTs present on the connection along with their 48 // verification status. 49 // |certLifetimeInCalendarMonths| - certificate lifetime in full calendar 50 // months (i.e. rounded down), based on the notBefore/notAfter fields. 51 // |dependentOperators| - which CT log operators are dependent on the CA 52 // that issued the certificate. SCTs issued by logs associated with such 53 // operators are treated differenly when evaluating the policy. 54 // See CTDiversityPolicy class. 55 // |compliance| - the result of the compliance check. 56 void CheckCompliance(const VerifiedSCTList& verifiedScts, 57 size_t certLifetimeInCalendarMonths, 58 const CTLogOperatorList& dependentOperators, 59 CTPolicyCompliance& compliance); 60 }; 61 62 } // namespace ct 63 } // namespace mozilla 64 65 #endif // CTPolicyEnforcer_h 66