/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */ /* vim: set ts=8 sts=2 et sw=2 tw=80: */ /* This Source Code Form is subject to the terms of the Mozilla Public * License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/. */
// A helper enum to describe the result of running CheckCTPolicyCompliance on a // collection of verified SCTs. enumclass CTPolicyCompliance { // The connection complied with the certificate policy // by including SCTs that satisfy the policy.
Compliant, // The connection did not have enough valid SCTs to comply.
NotEnoughScts, // The connection had enough valid SCTs, but the diversity requirement // was not met (the number of CT log operators independent of the CA // and of each other is too low).
NotDiverseScts,
};
// Checks the collected verified SCTs for compliance with the CT policy. // The policy is based on Chrome's policy as described here: // https://googlechrome.github.io/CertificateTransparency/ct_policy.html // This policy (as well as Chrome's), is very similar to Apple's: // https://support.apple.com/en-us/103214 // Essentially, the policy can be satisfied in two ways, depending on the // source of the collected SCTs. // For embedded SCTs, at least one must be from a log that was Admissible // (Qualified, Usable, or ReadOnly) at the time of the check. There must be // SCTs from N distinct logs that were Admissible or Retired at the time of the // check, where N depends on the lifetime of the certificate. If the // certificate lifetime is less than or equal to 180 days, N is 2. Otherwise, N // is 3. Among these SCTs, at least two must be issued from distinct log // operators. // For SCTs delivered via the TLS handshake or an OCSP response, at least two // must be from a log that was Admissible at the time of the check. Among these // SCTs, at least two must be issued from distinct log operators. // // |verifiedSct| - SCTs present on the connection along with their verification // status. // |certLifetime| - certificate lifetime, based on the notBefore/notAfter // fields.
CTPolicyCompliance CheckCTPolicyCompliance(const VerifiedSCTList& verifiedScts,
pkix::Duration certLifetime);
} // namespace ct
} // namespace mozilla
#endif// CTPolicyEnforcer_h
¤ Dauer der Verarbeitung: 0.19 Sekunden
(vorverarbeitet)
¤
Die Informationen auf dieser Webseite wurden
nach bestem Wissen sorgfältig zusammengestellt. Es wird jedoch weder Vollständigkeit, noch Richtigkeit,
noch Qualität der bereit gestellten Informationen zugesichert.
Bemerkung:
Die farbliche Syntaxdarstellung ist noch experimentell.
