1 /* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
2 /* vim: set ts=8 sts=2 et sw=2 tw=80: */
3 /* This Source Code Form is subject to the terms of the Mozilla Public
4  * License, v. 2.0. If a copy of the MPL was not distributed with this
5  * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
6 
7 #ifndef CTPolicyEnforcer_h
8 #define CTPolicyEnforcer_h
9 
10 #include "CTLog.h"
11 #include "CTVerifyResult.h"
12 #include "mozpkix/Result.h"
13 
14 namespace mozilla {
15 namespace ct {
16 
17 // Information about the compliance of the TLS connection with the
18 // Certificate Transparency policy.
19 enum class CTPolicyCompliance {
20   // Compliance not checked or not applicable.
21   Unknown,
22   // The connection complied with the certificate policy
23   // by including SCTs that satisfy the policy.
24   Compliant,
25   // The connection did not have enough valid SCTs to comply.
26   NotEnoughScts,
27   // The connection had enough valid SCTs, but the diversity requirement
28   // was not met (the number of CT log operators independent of the CA
29   // and of each other is too low).
30   NotDiverseScts,
31 };
32 
33 // Checks whether a TLS connection complies with the current CT policy.
34 // The implemented policy is based on the Mozilla CT Policy draft 0.1.0
35 // (see https://docs.google.com/document/d/
36 // 1rnqYYwscAx8WhS-MCdTiNzYQus9e37HuVyafQvEeNro/edit).
37 //
38 // NOTE: CT DIVERSITY REQUIREMENT IS TBD, PENDING FINALIZATION
39 // OF MOZILLA CT POLICY. Specifically:
40 // 1. CT log operators being CA-dependent is not currently taken into account
41 // (see CTDiversityPolicy.h).
42 // 2. The grandfathering provision of the operator diversity requirement
43 // is not implemented (see "CT Qualified" section of the policy and
44 // CheckOperatorDiversityCompliance in CTPolicyEnforcer.cpp).
45 class CTPolicyEnforcer {
46  public:
47   // |verifiedSct| - SCTs present on the connection along with their
48   // verification status.
49   // |certLifetimeInCalendarMonths| - certificate lifetime in full calendar
50   // months (i.e. rounded down), based on the notBefore/notAfter fields.
51   // |dependentOperators| - which CT log operators are dependent on the CA
52   // that issued the certificate. SCTs issued by logs associated with such
53   // operators are treated differenly when evaluating the policy.
54   // See CTDiversityPolicy class.
55   // |compliance| - the result of the compliance check.
56   void CheckCompliance(const VerifiedSCTList& verifiedScts,
57                        size_t certLifetimeInCalendarMonths,
58                        const CTLogOperatorList& dependentOperators,
59                        CTPolicyCompliance& compliance);
60 };
61 
62 }  // namespace ct
63 }  // namespace mozilla
64 
65 #endif  // CTPolicyEnforcer_h
66