1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
4 
5 #ifndef NET_SSL_SSL_INFO_H_
6 #define NET_SSL_SSL_INFO_H_
7 
8 #include <stdint.h>
9 
10 #include <vector>
11 
12 #include "base/memory/ref_counted.h"
13 #include "net/base/net_export.h"
14 #include "net/cert/cert_status_flags.h"
15 #include "net/cert/ct_policy_status.h"
16 #include "net/cert/ct_verify_result.h"
17 #include "net/cert/ocsp_verify_result.h"
18 #include "net/cert/sct_status_flags.h"
19 #include "net/cert/signed_certificate_timestamp_and_status.h"
20 #include "net/cert/x509_cert_types.h"
21 #include "net/ssl/ssl_config.h"
22 
23 namespace net {
24 
25 class X509Certificate;
26 
27 // SSL connection info.
28 // This is really a struct.  All members are public.
29 class NET_EXPORT SSLInfo {
30  public:
31   // HandshakeType enumerates the possible resumption cases after an SSL
32   // handshake.
33   enum HandshakeType {
34     HANDSHAKE_UNKNOWN = 0,
35     HANDSHAKE_RESUME,  // we resumed a previous session.
36     HANDSHAKE_FULL,  // we negotiated a new session.
37   };
38 
39   SSLInfo();
40   SSLInfo(const SSLInfo& info);
41   ~SSLInfo();
42   SSLInfo& operator=(const SSLInfo& info);
43 
44   void Reset();
45 
is_valid()46   bool is_valid() const { return cert.get() != nullptr; }
47 
48   // Adds the SignedCertificateTimestamps and policy compliance details
49   // from ct_verify_result to |signed_certificate_timestamps| and
50   // |ct_policy_compliance_details|. SCTs are held in three separate
51   // vectors in ct_verify_result, each vetor representing a particular
52   // verification state, this method associates each of the SCTs with
53   // the corresponding SCTVerifyStatus as it adds it to the
54   // |signed_certificate_timestamps| list.
55   void UpdateCertificateTransparencyInfo(
56       const ct::CTVerifyResult& ct_verify_result);
57 
58   // The SSL certificate.
59   scoped_refptr<X509Certificate> cert;
60 
61   // The SSL certificate as received by the client. Can be different
62   // from |cert|, which is the chain as built by the client during
63   // validation.
64   scoped_refptr<X509Certificate> unverified_cert;
65 
66   // Bitmask of status info of |cert|, representing, for example, known errors
67   // and extended validation (EV) status.
68   // See cert_status_flags.h for values.
69   CertStatus cert_status = 0;
70 
71   // The ID of the (EC)DH group used by the key exchange or zero if unknown
72   // (older cache entries may not store the value) or not applicable.
73   uint16_t key_exchange_group = 0;
74 
75   // The signature algorithm used by the peer in the TLS handshake, as defined
76   // by the TLS SignatureScheme registry
77   // (https://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml#tls-signaturescheme).
78   // These correspond to |SSL_SIGN_*| constants in BoringSSL. The value is zero
79   // if unknown (older cache entries may not store the value) or not applicable.
80   uint16_t peer_signature_algorithm = 0;
81 
82   // Information about the SSL connection itself. See
83   // ssl_connection_status_flags.h for values. The protocol version,
84   // ciphersuite, and compression in use are encoded within.
85   int connection_status = 0;
86 
87   // If the certificate is valid, then this is true iff it was rooted at a
88   // standard CA root. (As opposed to a user-installed root.)
89   bool is_issued_by_known_root = false;
90 
91   // True if pinning was bypassed on this connection.
92   bool pkp_bypassed = false;
93 
94   // True if a client certificate was sent to the server.  Note that sending
95   // a Certificate message with no client certificate in it does not count.
96   bool client_cert_sent = false;
97 
98   // True if data was received over early data on the server. This field is only
99   // set for server sockets.
100   bool early_data_received = false;
101 
102   HandshakeType handshake_type = HANDSHAKE_UNKNOWN;
103 
104   // The hashes, in several algorithms, of the SubjectPublicKeyInfos from
105   // each certificate in the chain.
106   HashValueVector public_key_hashes;
107 
108   // pinning_failure_log contains a message produced by
109   // TransportSecurityState::PKPState::CheckPublicKeyPins in the event of a
110   // pinning failure. It is a (somewhat) human-readable string.
111   std::string pinning_failure_log;
112 
113   // List of SignedCertificateTimestamps and their corresponding validation
114   // status.
115   SignedCertificateTimestampAndStatusList signed_certificate_timestamps;
116 
117   // Whether the connection complied with the CT cert policy, and if
118   // not, why not.
119   ct::CTPolicyCompliance ct_policy_compliance =
120       ct::CTPolicyCompliance::CT_POLICY_COMPLIANCE_DETAILS_NOT_AVAILABLE;
121 
122   // True if the connection was required to comply with the CT cert policy. Only
123   // meaningful if |ct_policy_compliance| is not
124   // COMPLIANCE_DETAILS_NOT_AVAILABLE.
125   bool ct_policy_compliance_required = false;
126 
127   // OCSP stapling details.
128   OCSPVerifyResult ocsp_result;
129 
130   // True if there was a certificate error which should be treated as fatal,
131   // and false otherwise.
132   bool is_fatal_cert_error = false;
133 };
134 
135 }  // namespace net
136 
137 #endif  // NET_SSL_SSL_INFO_H_
138