1 /* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */ 2 /* vim: set ts=8 sts=2 et sw=2 tw=80: */ 3 /* This Source Code Form is subject to the terms of the Mozilla Public 4 * License, v. 2.0. If a copy of the MPL was not distributed with this 5 * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ 6 7 #ifndef CTVerifyResult_h 8 #define CTVerifyResult_h 9 10 #include <vector> 11 12 #include "CTLog.h" 13 #include "SignedCertificateTimestamp.h" 14 15 namespace mozilla { 16 namespace ct { 17 18 // Holds a verified Signed Certificate Timestamp along with the verification 19 // status (e.g. valid/invalid) and additional information related to the 20 // verification. 21 struct VerifiedSCT { 22 VerifiedSCT(); 23 24 // The original SCT. 25 SignedCertificateTimestamp sct; 26 27 enum class Status { 28 None, 29 // The SCT is from a known log, and the signature is valid. 30 Valid, 31 // The SCT is from a known disqualified log, and the signature is valid. 32 // For the disqualification time of the log see |logDisqualificationTime|. 33 ValidFromDisqualifiedLog, 34 // The SCT is from an unknown log and can not be verified. 35 UnknownLog, 36 // The SCT is from a known log, but the signature is invalid. 37 InvalidSignature, 38 // The SCT signature is valid, but the timestamp is in the future. 39 // Such SCTs are considered invalid (see RFC 6962, Section 5.2). 40 InvalidTimestamp, 41 }; 42 43 enum class Origin { 44 Unknown, 45 Embedded, 46 TLSExtension, 47 OCSPResponse, 48 }; 49 50 Status status; 51 Origin origin; 52 CTLogOperatorId logOperatorId; 53 uint64_t logDisqualificationTime; 54 }; 55 56 typedef std::vector<VerifiedSCT> VerifiedSCTList; 57 58 // Holds Signed Certificate Timestamps verification results. 59 class CTVerifyResult { 60 public: CTVerifyResult()61 CTVerifyResult() { Reset(); } 62 63 // SCTs that were processed during the verification along with their 64 // verification results. 65 VerifiedSCTList verifiedScts; 66 67 // The verifier makes the best effort to extract the available SCTs 68 // from the binary sources provided to it. 69 // If some SCT cannot be extracted due to encoding errors, the verifier 70 // proceeds to the next available one. In other words, decoding errors are 71 // effectively ignored. 72 // Note that a serialized SCT may fail to decode for a "legitimate" reason, 73 // e.g. if the SCT is from a future version of the Certificate Transparency 74 // standard. 75 // |decodingErrors| field counts the errors of the above kind. 76 size_t decodingErrors; 77 78 void Reset(); 79 }; 80 81 } // namespace ct 82 } // namespace mozilla 83 84 #endif // CTVerifyResult_h 85