diff options
| author | eranm@google.com <eranm@google.com@0039d316-1c4b-4281-b951-d872f2087c98> | 2013-11-13 00:18:11 +0000 |
|---|---|---|
| committer | eranm@google.com <eranm@google.com@0039d316-1c4b-4281-b951-d872f2087c98> | 2013-11-13 00:18:11 +0000 |
| commit | ab6eb567415d4c0bd4b6ab14351c2fe0a0f0dcc8 (patch) | |
| tree | 8a851053599d1643fb19f8b0f048b9490165aed9 /net/cert/ct_log_verifier.h | |
| parent | d85fb73104a08ef2bf9868aa1c6fdce51bb865b3 (diff) | |
| download | chromium_src-ab6eb567415d4c0bd4b6ab14351c2fe0a0f0dcc8.zip chromium_src-ab6eb567415d4c0bd4b6ab14351c2fe0a0f0dcc8.tar.gz chromium_src-ab6eb567415d4c0bd4b6ab14351c2fe0a0f0dcc8.tar.bz2 | |
CT: Adding SCT verification functionality: A CTLogVerifier instance can verify SCTs signed by a single log.
BUG=309578
Review URL: https://codereview.chromium.org/55953002
git-svn-id: svn://svn.chromium.org/chrome/trunk/src@234672 0039d316-1c4b-4281-b951-d872f2087c98
Diffstat (limited to 'net/cert/ct_log_verifier.h')
| -rw-r--r-- | net/cert/ct_log_verifier.h | 78 |
1 files changed, 78 insertions, 0 deletions
diff --git a/net/cert/ct_log_verifier.h b/net/cert/ct_log_verifier.h new file mode 100644 index 0000000..b4ee520 --- /dev/null +++ b/net/cert/ct_log_verifier.h @@ -0,0 +1,78 @@ +// Copyright 2013 The Chromium Authors. All rights reserved. +// Use of this source code is governed by a BSD-style license that can be +// found in the LICENSE file. + +#ifndef NET_CERT_CT_LOG_VERIFIER_H_ +#define NET_CERT_CT_LOG_VERIFIER_H_ + +#include <string> + +#include "base/gtest_prod_util.h" +#include "base/memory/scoped_ptr.h" +#include "base/strings/string_piece.h" +#include "net/base/net_export.h" +#include "net/cert/signed_certificate_timestamp.h" + +// Forward declare the crypto types to avoid having to include the full +// headers. +#if defined(USE_OPENSSL) +typedef struct evp_pkey_st EVP_PKEY; +#else +typedef struct SECKEYPublicKeyStr SECKEYPublicKey; +#endif + +namespace net { + +// Class for verifying Signed Certificate Timestamps (SCTs) provided by a +// specific log (whose identity is provided during construction). +class NET_EXPORT CTLogVerifier { + public: + // Creates a new CTLogVerifier that will verify SignedCertificateTimestamps + // using |public_key|, which is a DER-encoded SubjectPublicKeyInfo. + // If |public_key| refers to an unsupported public key, returns NULL. + // |description| is a textual description of the log. + static scoped_ptr<CTLogVerifier> Create( + const base::StringPiece& public_key, + const base::StringPiece& description); + + ~CTLogVerifier(); + + // Returns the log's key ID (RFC6962, Section 3.2) + const std::string& key_id() const { return key_id_; } + // Returns the log's human-readable description. + const std::string& description() const { return description_; } + + // Verifies that |sct| contains a valid signature for |entry|. + bool Verify(const ct::LogEntry& entry, + const ct::SignedCertificateTimestamp& sct); + + private: + FRIEND_TEST_ALL_PREFIXES(CTLogVerifierTest, VerifySignature); + + CTLogVerifier(); + + // Performs crypto-library specific initialization. + bool Init(const base::StringPiece& public_key, + const base::StringPiece& description); + + // Performs the underlying verification using the selected public key. Note + // that |signature| contains the raw signature data (eg: without any + // DigitallySigned struct encoding). + bool VerifySignature(const base::StringPiece& data_to_sign, + const base::StringPiece& signature); + + std::string key_id_; + std::string description_; + ct::DigitallySigned::HashAlgorithm hash_algorithm_; + ct::DigitallySigned::SignatureAlgorithm signature_algorithm_; + +#if defined(USE_OPENSSL) + EVP_PKEY* public_key_; +#else + SECKEYPublicKey* public_key_; +#endif +}; + +} // namespace net + +#endif // NET_CERT_CT_LOG_VERIFIER_H_ |