Home | History | Annotate | Download | only in cert 
      1 // Copyright 2013 The Chromium Authors. All rights reserved.
      2 // Use of this source code is governed by a BSD-style license that can be
      3 // found in the LICENSE file.
      4 
      5 #ifndef NET_CERT_CT_LOG_VERIFIER_H_
      6 #define NET_CERT_CT_LOG_VERIFIER_H_
      7 
      8 #include <string>
      9 
     10 #include "base/gtest_prod_util.h"
     11 #include "base/memory/scoped_ptr.h"
     12 #include "base/strings/string_piece.h"
     13 #include "net/base/net_export.h"
     14 #include "net/cert/signed_certificate_timestamp.h"
     15 
     16 // Forward declare the crypto types to avoid having to include the full
     17 // headers.
     18 #if defined(USE_OPENSSL)
     19 typedef struct evp_pkey_st EVP_PKEY;
     20 #else
     21 typedef struct SECKEYPublicKeyStr SECKEYPublicKey;
     22 #endif
     23 
     24 namespace net {
     25 
     26 namespace ct {
     27 struct SignedTreeHead;
     28 }  // namespace ct
     29 
     30 // Class for verifying Signed Certificate Timestamps (SCTs) provided by a
     31 // specific log (whose identity is provided during construction).
     32 class NET_EXPORT CTLogVerifier {
     33  public:
     34   // Creates a new CTLogVerifier that will verify SignedCertificateTimestamps
     35   // using |public_key|, which is a DER-encoded SubjectPublicKeyInfo.
     36   // If |public_key| refers to an unsupported public key, returns NULL.
     37   // |description| is a textual description of the log.
     38   static scoped_ptr<CTLogVerifier> Create(
     39       const base::StringPiece& public_key,
     40       const base::StringPiece& description);
     41 
     42   ~CTLogVerifier();
     43 
     44   // Returns the log's key ID (RFC6962, Section 3.2)
     45   const std::string& key_id() const { return key_id_; }
     46   // Returns the log's human-readable description.
     47   const std::string& description() const { return description_; }
     48 
     49   // Verifies that |sct| contains a valid signature for |entry|.
     50   bool Verify(const ct::LogEntry& entry,
     51               const ct::SignedCertificateTimestamp& sct);
     52 
     53   // Verifies and sets |signed_tree_head|. If |signed_tree_head|'s signature is
     54   // valid, stores it and returns true. Otherwise, discards the sth and
     55   // returns false.
     56   bool SetSignedTreeHead(scoped_ptr<ct::SignedTreeHead> signed_tree_head);
     57 
     58  private:
     59   FRIEND_TEST_ALL_PREFIXES(CTLogVerifierTest, VerifySignature);
     60 
     61   CTLogVerifier();
     62 
     63   // Performs crypto-library specific initialization.
     64   bool Init(const base::StringPiece& public_key,
     65             const base::StringPiece& description);
     66 
     67   // Performs the underlying verification using the selected public key. Note
     68   // that |signature| contains the raw signature data (eg: without any
     69   // DigitallySigned struct encoding).
     70   bool VerifySignature(const base::StringPiece& data_to_sign,
     71                        const base::StringPiece& signature);
     72 
     73   // Returns true if the signature and hash algorithms in |signature|
     74   // match those of the log
     75   bool SignatureParametersMatch(const ct::DigitallySigned& signature);
     76 
     77   std::string key_id_;
     78   std::string description_;
     79   ct::DigitallySigned::HashAlgorithm hash_algorithm_;
     80   ct::DigitallySigned::SignatureAlgorithm signature_algorithm_;
     81   scoped_ptr<ct::SignedTreeHead> signed_tree_head_;
     82 
     83 #if defined(USE_OPENSSL)
     84   EVP_PKEY* public_key_;
     85 #else
     86   SECKEYPublicKey* public_key_;
     87 #endif
     88 };
     89 
     90 }  // namespace net
     91 
     92 #endif  // NET_CERT_CT_LOG_VERIFIER_H_
     93