1// Copyright (c) 2011 The Chromium Authors. All rights reserved.
2// Use of this source code is governed by a BSD-style license that can be
3// found in the LICENSE file.
4
5#ifndef NET_CERT_CERT_VERIFY_RESULT_H_
6#define NET_CERT_CERT_VERIFY_RESULT_H_
7
8#include <vector>
9
10#include "base/memory/ref_counted.h"
11#include "net/base/net_export.h"
12#include "net/cert/cert_status_flags.h"
13#include "net/cert/ocsp_verify_result.h"
14#include "net/cert/x509_cert_types.h"
15
16namespace net {
17
18class X509Certificate;
19
20// The result of certificate verification.
21class NET_EXPORT CertVerifyResult {
22 public:
23 CertVerifyResult();
24 CertVerifyResult(const CertVerifyResult& other);
25 ~CertVerifyResult();
26
27 void Reset();
28
29 // Returns true if all the members of |this| are equal to |other|'s (including
30 // the |verified_cert| intermediates).
31 bool operator==(const CertVerifyResult& other) const;
32
33 // The certificate chain that was constructed during verification.
34 //
35 // Note: Although |verified_cert| will match the originally supplied
36 // certificate to be validated, the results of intermediate_buffers()
37 // may be substantially different, both in order and in content, then the
38 // originally supplied intermediates.
39 //
40 // In the event of validation failures, this may contain the originally
41 // supplied certificate chain or a partially constructed path, depending on
42 // the implementation.
43 //
44 // In the event of validation success, the trust anchor will be
45 // |verified_cert->intermediate_buffers().back()| if
46 // there was a certificate chain to the trust anchor, and will
47 // be |verified_cert->cert_buffer()| if the certificate was
48 // the trust anchor.
49 scoped_refptr<X509Certificate> verified_cert;
50
51 // Bitmask of CERT_STATUS_* from net/cert/cert_status_flags.h. Note that
52 // these status flags apply to the certificate chain returned in
53 // |verified_cert|, rather than the originally supplied certificate
54 // chain.
55 CertStatus cert_status;
56
57 // Hash algorithms used by the certificate chain, excluding the trust
58 // anchor.
59 bool has_md2;
60 bool has_md4;
61 bool has_md5;
62 bool has_sha1;
63 bool has_sha1_leaf;
64
65 // If the certificate was successfully verified then this contains the
66 // hashes for all of the SubjectPublicKeyInfos of the chain (target,
67 // intermediates, and trust anchor)
68 //
69 // The ordering of the hashes in this vector is unspecified. Both the SHA1
70 // and SHA256 hash will be present for each certificate.
71 HashValueVector public_key_hashes;
72
73 // is_issued_by_known_root is true if we recognise the root CA as a standard
74 // root. If it isn't then it's probably the case that this certificate was
75 // generated by a MITM proxy whose root has been installed locally. This is
76 // meaningless if the certificate was not trusted.
77 bool is_issued_by_known_root;
78
79 // is_issued_by_additional_trust_anchor is true if the root CA used for this
80 // verification came from the list of additional trust anchors.
81 bool is_issued_by_additional_trust_anchor;
82
83 // Verification of stapled OCSP response, if present.
84 OCSPVerifyResult ocsp_result;
85};
86
87} // namespace net
88
89#endif // NET_CERT_CERT_VERIFY_RESULT_H_
90