1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. 2 // Use of this source code is governed by a BSD-style license that can be 3 // found in the LICENSE file. 4 5 #ifndef NET_SSL_SSL_INFO_H_ 6 #define NET_SSL_SSL_INFO_H_ 7 8 #include <stdint.h> 9 10 #include <vector> 11 12 #include "base/memory/ref_counted.h" 13 #include "net/base/net_export.h" 14 #include "net/cert/cert_status_flags.h" 15 #include "net/cert/ct_policy_status.h" 16 #include "net/cert/ct_verify_result.h" 17 #include "net/cert/ocsp_verify_result.h" 18 #include "net/cert/sct_status_flags.h" 19 #include "net/cert/signed_certificate_timestamp_and_status.h" 20 #include "net/cert/x509_cert_types.h" 21 #include "net/ssl/ssl_config.h" 22 23 namespace net { 24 25 class X509Certificate; 26 27 // SSL connection info. 28 // This is really a struct. All members are public. 29 class NET_EXPORT SSLInfo { 30 public: 31 // HandshakeType enumerates the possible resumption cases after an SSL 32 // handshake. 33 enum HandshakeType { 34 HANDSHAKE_UNKNOWN = 0, 35 HANDSHAKE_RESUME, // we resumed a previous session. 36 HANDSHAKE_FULL, // we negotiated a new session. 37 }; 38 39 SSLInfo(); 40 SSLInfo(const SSLInfo& info); 41 ~SSLInfo(); 42 SSLInfo& operator=(const SSLInfo& info); 43 44 void Reset(); 45 is_valid()46 bool is_valid() const { return cert.get() != nullptr; } 47 48 // Adds the SignedCertificateTimestamps and policy compliance details 49 // from ct_verify_result to |signed_certificate_timestamps| and 50 // |ct_policy_compliance_details|. SCTs are held in three separate 51 // vectors in ct_verify_result, each vetor representing a particular 52 // verification state, this method associates each of the SCTs with 53 // the corresponding SCTVerifyStatus as it adds it to the 54 // |signed_certificate_timestamps| list. 55 void UpdateCertificateTransparencyInfo( 56 const ct::CTVerifyResult& ct_verify_result); 57 58 // The SSL certificate. 59 scoped_refptr<X509Certificate> cert; 60 61 // The SSL certificate as received by the client. Can be different 62 // from |cert|, which is the chain as built by the client during 63 // validation. 64 scoped_refptr<X509Certificate> unverified_cert; 65 66 // Bitmask of status info of |cert|, representing, for example, known errors 67 // and extended validation (EV) status. 68 // See cert_status_flags.h for values. 69 CertStatus cert_status = 0; 70 71 // The ID of the (EC)DH group used by the key exchange or zero if unknown 72 // (older cache entries may not store the value) or not applicable. 73 uint16_t key_exchange_group = 0; 74 75 // The signature algorithm used by the peer in the TLS handshake, as defined 76 // by the TLS SignatureScheme registry 77 // (https://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml#tls-signaturescheme). 78 // These correspond to |SSL_SIGN_*| constants in BoringSSL. The value is zero 79 // if unknown (older cache entries may not store the value) or not applicable. 80 uint16_t peer_signature_algorithm = 0; 81 82 // Information about the SSL connection itself. See 83 // ssl_connection_status_flags.h for values. The protocol version, 84 // ciphersuite, and compression in use are encoded within. 85 int connection_status = 0; 86 87 // If the certificate is valid, then this is true iff it was rooted at a 88 // standard CA root. (As opposed to a user-installed root.) 89 bool is_issued_by_known_root = false; 90 91 // True if pinning was bypassed on this connection. 92 bool pkp_bypassed = false; 93 94 // True if a client certificate was sent to the server. Note that sending 95 // a Certificate message with no client certificate in it does not count. 96 bool client_cert_sent = false; 97 98 // True if data was received over early data on the server. This field is only 99 // set for server sockets. 100 bool early_data_received = false; 101 102 HandshakeType handshake_type = HANDSHAKE_UNKNOWN; 103 104 // The hashes, in several algorithms, of the SubjectPublicKeyInfos from 105 // each certificate in the chain. 106 HashValueVector public_key_hashes; 107 108 // pinning_failure_log contains a message produced by 109 // TransportSecurityState::PKPState::CheckPublicKeyPins in the event of a 110 // pinning failure. It is a (somewhat) human-readable string. 111 std::string pinning_failure_log; 112 113 // List of SignedCertificateTimestamps and their corresponding validation 114 // status. 115 SignedCertificateTimestampAndStatusList signed_certificate_timestamps; 116 117 // Whether the connection complied with the CT cert policy, and if 118 // not, why not. 119 ct::CTPolicyCompliance ct_policy_compliance = 120 ct::CTPolicyCompliance::CT_POLICY_COMPLIANCE_DETAILS_NOT_AVAILABLE; 121 122 // True if the connection was required to comply with the CT cert policy. Only 123 // meaningful if |ct_policy_compliance| is not 124 // COMPLIANCE_DETAILS_NOT_AVAILABLE. 125 bool ct_policy_compliance_required = false; 126 127 // OCSP stapling details. 128 OCSPVerifyResult ocsp_result; 129 130 // True if there was a certificate error which should be treated as fatal, 131 // and false otherwise. 132 bool is_fatal_cert_error = false; 133 }; 134 135 } // namespace net 136 137 #endif // NET_SSL_SSL_INFO_H_ 138