diff options
author | eranm@chromium.org <eranm@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> | 2014-05-12 21:56:33 +0000 |
---|---|---|
committer | eranm@chromium.org <eranm@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> | 2014-05-12 21:56:33 +0000 |
commit | 93dc8d7c4de2bd7f623ad60aa20c3e1942f9fa05 (patch) | |
tree | 5377251a4bf71a68d4dd1e927ca9c652b566e437 /net/cert/ct_log_verifier.cc | |
parent | ae03c3996ab0d11de116fefbe2d0c26b34699aa8 (diff) | |
download | chromium_src-93dc8d7c4de2bd7f623ad60aa20c3e1942f9fa05.zip chromium_src-93dc8d7c4de2bd7f623ad60aa20c3e1942f9fa05.tar.gz chromium_src-93dc8d7c4de2bd7f623ad60aa20c3e1942f9fa05.tar.bz2 |
Certificate Transparency: Parse Signed Tree Heads and validate them
This change lays the groundwork for fetching STHs from CT logs and
using them for proof inclusion validation.
This change contains:
* A SignedTreeHead struct representing a signed tree head.
* CTLogResponseParser - a class to parse the STH returned by the log in
JSON format and fill in SignedTreeHead.
* An encoding function to create the binary blob over which the signature
in the STH applies.
* Addition to the CTLogVerifier class to validate and store provided STHs,
which uses the encoding function mentioned above.
BUG=
Review URL: https://codereview.chromium.org/230713002
git-svn-id: svn://svn.chromium.org/chrome/trunk/src@269887 0039d316-1c4b-4281-b951-d872f2087c98
Diffstat (limited to 'net/cert/ct_log_verifier.cc')
-rw-r--r-- | net/cert/ct_log_verifier.cc | 41 |
1 files changed, 31 insertions, 10 deletions
diff --git a/net/cert/ct_log_verifier.cc b/net/cert/ct_log_verifier.cc index 1c9374d..6efb96a 100644 --- a/net/cert/ct_log_verifier.cc +++ b/net/cert/ct_log_verifier.cc @@ -6,6 +6,7 @@ #include "base/logging.h" #include "net/cert/ct_serialization.h" +#include "net/cert/signed_tree_head.h" namespace net { @@ -26,17 +27,8 @@ bool CTLogVerifier::Verify(const ct::LogEntry& entry, return false; } - if (sct.signature.hash_algorithm != hash_algorithm_) { - DVLOG(1) << "Mismatched hash algorithm. Expected " << hash_algorithm_ - << ", got " << sct.signature.hash_algorithm << "."; + if (!SignatureParametersMatch(sct.signature)) return false; - } - - if (sct.signature.signature_algorithm != signature_algorithm_) { - DVLOG(1) << "Mismatched sig algorithm. Expected " << signature_algorithm_ - << ", got " << sct.signature.signature_algorithm << "."; - return false; - } std::string serialized_log_entry; if (!ct::EncodeLogEntry(entry, &serialized_log_entry)) { @@ -53,4 +45,33 @@ bool CTLogVerifier::Verify(const ct::LogEntry& entry, return VerifySignature(serialized_data, sct.signature.signature_data); } +bool CTLogVerifier::SetSignedTreeHead( + scoped_ptr<ct::SignedTreeHead> signed_tree_head) { + if (!SignatureParametersMatch(signed_tree_head->signature)) + return false; + + std::string serialized_data; + ct::EncodeTreeHeadSignature(*signed_tree_head.get(), &serialized_data); + if (VerifySignature(serialized_data, + signed_tree_head->signature.signature_data)) { + signed_tree_head_.reset(signed_tree_head.release()); + return true; + } + return false; +} + +bool CTLogVerifier::SignatureParametersMatch( + const ct::DigitallySigned& signature) { + if (!signature.SignatureParametersMatch(hash_algorithm_, + signature_algorithm_)) { + DVLOG(1) << "Mismatched hash or signature algorithm. Hash: " + << hash_algorithm_ << " vs " << signature.hash_algorithm + << " Signature: " << signature_algorithm_ << " vs " + << signature.signature_algorithm << "."; + return false; + } + + return true; +} + } // namespace net |