Home | History | Annotate | Download | only in socket
      1 // Copyright (c) 2010 The Chromium Authors. All rights reserved.
      2 // Use of this source code is governed by a BSD-style license that can be
      3 // found in the LICENSE file.
      4 
      5 #ifndef NET_SOCKET_DNS_CERT_PROVENANCE_CHECKER_H
      6 #define NET_SOCKET_DNS_CERT_PROVENANCE_CHECKER_H
      7 
      8 #include <string>
      9 #include <vector>
     10 
     11 #include "base/string_piece.h"
     12 
     13 namespace net {
     14 
     15 class DnsRRResolver;
     16 
     17 // DnsCertProvenanceChecker is an interface for asynchronously checking HTTPS
     18 // certificates via a DNS side-channel.
     19 class DnsCertProvenanceChecker {
     20  public:
     21   class Delegate {
     22    public:
     23     virtual ~Delegate();
     24 
     25     virtual void OnDnsCertLookupFailed(
     26         const std::string& hostname,
     27         const std::vector<std::string>& der_certs) = 0;
     28   };
     29 
     30   virtual ~DnsCertProvenanceChecker();
     31 
     32   virtual void Shutdown() = 0;
     33 
     34   // DoAsyncVerification starts an asynchronous check for the given certificate
     35   // chain. It must be run on the network thread.
     36   virtual void DoAsyncVerification(
     37       const std::string& hostname,
     38       const std::vector<base::StringPiece>& der_certs) = 0;
     39 
     40 
     41  protected:
     42   // DoAsyncLookup performs a DNS lookup for the given name and certificate
     43   // chain. In the event that the lookup reports a failure, the Delegate is
     44   // called back.
     45   static void DoAsyncLookup(
     46       const std::string& hostname,
     47       const std::vector<base::StringPiece>& der_certs,
     48       DnsRRResolver* dnsrr_resolver,
     49       Delegate* delegate);
     50 
     51   // BuildEncryptedRecord encrypts the certificate chain to a fixed public key
     52   // and returns the encrypted blob. Since this code is reporting a possible
     53   // HTTPS failure, it would seem silly to use HTTPS to protect the uploaded
     54   // report.
     55   static std::string BuildEncryptedReport(
     56       const std::string& hostname,
     57       const std::vector<std::string>& der_certs);
     58 };
     59 
     60 }  // namespace net
     61 
     62 #endif  // NET_SOCKET_DNS_CERT_PROVENANCE_CHECK_H
     63