security/certverifier/CTPolicyEnforcer.h
author Kershaw Chang <kechang@mozilla.com>
Thu, 27 Jul 2017 23:41:00 +0200
changeset 420412 43a17f4d5399bcca8f67b3756aadf670792873d2
parent 377825 9faf10e794e61d45e42246f101681ceb9f10cced
permissions -rw-r--r--
Bug 1366822 - Part1: Modify NetworkPrioritizer to only update selected tab's window ID, r=dao The original NetworkPrioritizer tracks each browser window and give the high priority to the selected tab. This patch is based on the NetworkPrioritizer, but only send a notification of the current selected tab's content outer window ID to network module.

/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
/* vim: set ts=8 sts=2 et sw=2 tw=80: */
/* This Source Code Form is subject to the terms of the Mozilla Public
 * License, v. 2.0. If a copy of the MPL was not distributed with this
 * file, You can obtain one at http://mozilla.org/MPL/2.0/. */

#ifndef CTPolicyEnforcer_h
#define CTPolicyEnforcer_h

#include "CTLog.h"
#include "CTVerifyResult.h"
#include "pkix/Result.h"

namespace mozilla { namespace ct {

// Information about the compliance of the TLS connection with the
// Certificate Transparency policy.
enum class CTPolicyCompliance
{
  // Compliance not checked or not applicable.
  Unknown,
  // The connection complied with the certificate policy
  // by including SCTs that satisfy the policy.
  Compliant,
  // The connection did not have enough valid SCTs to comply.
  NotEnoughScts,
  // The connection had enough valid SCTs, but the diversity requirement
  // was not met (the number of CT log operators independent of the CA
  // and of each other is too low).
  NotDiverseScts,
};

// Checks whether a TLS connection complies with the current CT policy.
// The implemented policy is based on the Mozilla CT Policy draft 0.1.0
// (see https://docs.google.com/document/d/
// 1rnqYYwscAx8WhS-MCdTiNzYQus9e37HuVyafQvEeNro/edit).
//
// NOTE: CT DIVERSITY REQUIREMENT IS TBD, PENDING FINALIZATION
// OF MOZILLA CT POLICY. Specifically:
// 1. CT log operators being CA-dependent is not currently taken into account
// (see CTDiversityPolicy.h).
// 2. The grandfathering provision of the operator diversity requirement
// is not implemented (see "CT Qualified" section of the policy and
// CheckOperatorDiversityCompliance in CTPolicyEnforcer.cpp).
class CTPolicyEnforcer
{
public:
  // |verifiedSct| - SCTs present on the connection along with their
  // verification status.
  // |certLifetimeInCalendarMonths| - certificate lifetime in full calendar
  // months (i.e. rounded down), based on the notBefore/notAfter fields.
  // |dependentOperators| - which CT log operators are dependent on the CA
  // that issued the certificate. SCTs issued by logs associated with such
  // operators are treated differenly when evaluating the policy.
  // See CTDiversityPolicy class.
  // |compliance| - the result of the compliance check.
  pkix::Result CheckCompliance(const VerifiedSCTList& verifiedScts,
                               size_t certLifetimeInCalendarMonths,
                               const CTLogOperatorList& dependentOperators,
                               CTPolicyCompliance& compliance);
};

} } // namespace mozilla::ct

#endif // CTPolicyEnforcer_h