diff options
| author | alcutter@google.com <alcutter@google.com@0039d316-1c4b-4281-b951-d872f2087c98> | 2013-11-29 00:02:12 +0000 |
|---|---|---|
| committer | alcutter@google.com <alcutter@google.com@0039d316-1c4b-4281-b951-d872f2087c98> | 2013-11-29 00:02:12 +0000 |
| commit | 0bbd63b3074d6ed8f65b9c90663b9e2b3b02c25c (patch) | |
| tree | 5cf02601b0d60415ab65cfca9be171fa6627d753 /net/cert | |
| parent | 580ec6b79c40a7e58e896e4f0063ad9eca5d16a3 (diff) | |
| download | chromium_src-0bbd63b3074d6ed8f65b9c90663b9e2b3b02c25c.zip chromium_src-0bbd63b3074d6ed8f65b9c90663b9e2b3b02c25c.tar.gz chromium_src-0bbd63b3074d6ed8f65b9c90663b9e2b3b02c25c.tar.bz2 | |
SignedCertificateTimestamp storing & serialization code.
This patch builds on Eran's CT wiring patch:
https://codereview.chromium.org/76443006/
BUG=309578
Review URL: https://codereview.chromium.org/88643002
git-svn-id: svn://svn.chromium.org/chrome/trunk/src@237849 0039d316-1c4b-4281-b951-d872f2087c98
Diffstat (limited to 'net/cert')
| -rw-r--r-- | net/cert/ct_verify_result.h | 4 | ||||
| -rw-r--r-- | net/cert/multi_log_ct_verifier.cc | 6 | ||||
| -rw-r--r-- | net/cert/multi_log_ct_verifier_unittest.cc | 2 | ||||
| -rw-r--r-- | net/cert/sct_status_flags.h | 32 | ||||
| -rw-r--r-- | net/cert/signed_certificate_timestamp.cc | 41 | ||||
| -rw-r--r-- | net/cert/signed_certificate_timestamp.h | 7 |
6 files changed, 86 insertions, 6 deletions
diff --git a/net/cert/ct_verify_result.h b/net/cert/ct_verify_result.h index ac0a74b..aa90164 100644 --- a/net/cert/ct_verify_result.h +++ b/net/cert/ct_verify_result.h @@ -25,8 +25,8 @@ struct NET_EXPORT CTVerifyResult { // SCTs from known logs where the signature verified correctly. SCTList verified_scts; // SCTs from known logs where the signature failed to verify. - SCTList unverified_scts; - // SCTs from unknown logs. + SCTList invalid_scts; + // SCTs from unknown logs and as such are unverifiable. SCTList unknown_logs_scts; }; diff --git a/net/cert/multi_log_ct_verifier.cc b/net/cert/multi_log_ct_verifier.cc index 6101097..6c81da2 100644 --- a/net/cert/multi_log_ct_verifier.cc +++ b/net/cert/multi_log_ct_verifier.cc @@ -35,7 +35,7 @@ int MultiLogCTVerifier::Verify( DCHECK(result); result->verified_scts.clear(); - result->unverified_scts.clear(); + result->invalid_scts.clear(); result->unknown_logs_scts.clear(); bool has_verified_scts = false; @@ -127,14 +127,14 @@ bool MultiLogCTVerifier::VerifySingleSCT( if (!it->second->Verify(expected_entry, *sct)) { DVLOG(1) << "Unable to verify SCT signature."; - result->unverified_scts.push_back(sct); + result->invalid_scts.push_back(sct); return false; } // SCT verified ok, just make sure the timestamp is legitimate. if (sct->timestamp > base::Time::Now()) { DVLOG(1) << "SCT is from the future!"; - result->unverified_scts.push_back(sct); + result->invalid_scts.push_back(sct); return false; } diff --git a/net/cert/multi_log_ct_verifier_unittest.cc b/net/cert/multi_log_ct_verifier_unittest.cc index 287b150..e233a06 100644 --- a/net/cert/multi_log_ct_verifier_unittest.cc +++ b/net/cert/multi_log_ct_verifier_unittest.cc @@ -42,7 +42,7 @@ class MultiLogCTVerifierTest : public ::testing::Test { bool CheckForSingleVerifiedSCTInResult(const ct::CTVerifyResult& result) { return (result.verified_scts.size() == 1U) && - result.unverified_scts.empty() && + result.invalid_scts.empty() && result.unknown_logs_scts.empty(); } diff --git a/net/cert/sct_status_flags.h b/net/cert/sct_status_flags.h new file mode 100644 index 0000000..1bcb422 --- /dev/null +++ b/net/cert/sct_status_flags.h @@ -0,0 +1,32 @@ +// Copyright 2013 The Chromium Authors. All rights reserved. +// Use of this source code is governed by a BSD-style license that can be +// found in the LICENSE file. + +#ifndef NET_CERT_SCT_STATUS_FLAGS_H_ +#define NET_CERT_SCT_STATUS_FLAGS_H_ + +namespace net { + +namespace ct { + +// The possible verification statuses for a SignedCertificateTimestamp. +enum SCTVerifyStatus { + // Not a real status, this just prevents a default int value from being + // mis-interpreseted as a valid status. + SCT_STATUS_NONE = 0, + + // The SCT is from an unknown log, so we cannot verify its signature. + SCT_STATUS_LOG_UNKNOWN = 1, + + // The SCT is from a known log, but the signature is invalid. + SCT_STATUS_INVALID = 2, + + // The SCT is from a known log, and the signature is valid. + SCT_STATUS_OK = 3, +}; + +} // namespace ct + +} // namespace net + +#endif // NET_CERT_SCT_STATUS_FLAGS_H_ diff --git a/net/cert/signed_certificate_timestamp.cc b/net/cert/signed_certificate_timestamp.cc index 8925a99..bdb54f1 100644 --- a/net/cert/signed_certificate_timestamp.cc +++ b/net/cert/signed_certificate_timestamp.cc @@ -4,6 +4,8 @@ #include "net/cert/signed_certificate_timestamp.h" +#include "base/pickle.h" + namespace net { namespace ct { @@ -28,6 +30,45 @@ SignedCertificateTimestamp::SignedCertificateTimestamp() {} SignedCertificateTimestamp::~SignedCertificateTimestamp() {} +void SignedCertificateTimestamp::Persist(Pickle* pickle) { + CHECK(pickle->WriteInt(version)); + CHECK(pickle->WriteString(log_id)); + CHECK(pickle->WriteInt64(timestamp.ToInternalValue())); + CHECK(pickle->WriteString(extensions)); + CHECK(pickle->WriteInt(signature.hash_algorithm)); + CHECK(pickle->WriteInt(signature.signature_algorithm)); + CHECK(pickle->WriteString(signature.signature_data)); +} + +// static +scoped_refptr<SignedCertificateTimestamp> +SignedCertificateTimestamp::CreateFromPickle(PickleIterator* iter) { + int version; + int64 timestamp; + int hash_algorithm; + int sig_algorithm; + scoped_refptr<SignedCertificateTimestamp> sct( + new SignedCertificateTimestamp()); + // string values are set directly + if (!(iter->ReadInt(&version) && + iter->ReadString(&sct->log_id) && + iter->ReadInt64(×tamp) && + iter->ReadString(&sct->extensions) && + iter->ReadInt(&hash_algorithm) && + iter->ReadInt(&sig_algorithm) && + iter->ReadString(&sct->signature.signature_data))) { + return NULL; + } + // Now set the rest of the member variables: + sct->version = static_cast<Version>(version); + sct->timestamp = base::Time::FromInternalValue(timestamp); + sct->signature.hash_algorithm = + static_cast<DigitallySigned::HashAlgorithm>(hash_algorithm); + sct->signature.signature_algorithm = + static_cast<DigitallySigned::SignatureAlgorithm>(sig_algorithm); + return sct; +} + LogEntry::LogEntry() {} LogEntry::~LogEntry() {} diff --git a/net/cert/signed_certificate_timestamp.h b/net/cert/signed_certificate_timestamp.h index 9c73dee..c3d0009 100644 --- a/net/cert/signed_certificate_timestamp.h +++ b/net/cert/signed_certificate_timestamp.h @@ -13,6 +13,9 @@ #include "net/base/hash_value.h" #include "net/base/net_export.h" +class Pickle; +class PickleIterator; + namespace net { // Structures related to Certificate Transparency (RFC6962). @@ -93,6 +96,10 @@ struct NET_EXPORT SignedCertificateTimestamp SignedCertificateTimestamp(); + void Persist(Pickle* pickle); + static scoped_refptr<SignedCertificateTimestamp> CreateFromPickle( + PickleIterator* iter); + Version version; std::string log_id; base::Time timestamp; |