1 // Copyright (c) 2010 The Chromium Authors. All rights reserved. 2 // Use of this source code is governed by a BSD-style license that can be 3 // found in the LICENSE file. 4 5 #ifndef NET_SOCKET_DNS_CERT_PROVENANCE_CHECKER_H 6 #define NET_SOCKET_DNS_CERT_PROVENANCE_CHECKER_H 7 8 #include <string> 9 #include <vector> 10 11 #include "base/string_piece.h" 12 13 namespace net { 14 15 class DnsRRResolver; 16 17 // DnsCertProvenanceChecker is an interface for asynchronously checking HTTPS 18 // certificates via a DNS side-channel. 19 class DnsCertProvenanceChecker { 20 public: 21 class Delegate { 22 public: 23 virtual ~Delegate(); 24 25 virtual void OnDnsCertLookupFailed( 26 const std::string& hostname, 27 const std::vector<std::string>& der_certs) = 0; 28 }; 29 30 virtual ~DnsCertProvenanceChecker(); 31 32 virtual void Shutdown() = 0; 33 34 // DoAsyncVerification starts an asynchronous check for the given certificate 35 // chain. It must be run on the network thread. 36 virtual void DoAsyncVerification( 37 const std::string& hostname, 38 const std::vector<base::StringPiece>& der_certs) = 0; 39 40 41 protected: 42 // DoAsyncLookup performs a DNS lookup for the given name and certificate 43 // chain. In the event that the lookup reports a failure, the Delegate is 44 // called back. 45 static void DoAsyncLookup( 46 const std::string& hostname, 47 const std::vector<base::StringPiece>& der_certs, 48 DnsRRResolver* dnsrr_resolver, 49 Delegate* delegate); 50 51 // BuildEncryptedRecord encrypts the certificate chain to a fixed public key 52 // and returns the encrypted blob. Since this code is reporting a possible 53 // HTTPS failure, it would seem silly to use HTTPS to protect the uploaded 54 // report. 55 static std::string BuildEncryptedReport( 56 const std::string& hostname, 57 const std::vector<std::string>& der_certs); 58 }; 59 60 } // namespace net 61 62 #endif // NET_SOCKET_DNS_CERT_PROVENANCE_CHECK_H 63