1// Copyright 2013 The Chromium Authors. All rights reserved. 2// Use of this source code is governed by a BSD-style license that can be 3// found in the LICENSE file. 4 5#ifndef NET_CERT_CT_LOG_VERIFIER_H_ 6#define NET_CERT_CT_LOG_VERIFIER_H_ 7 8#include <string> 9 10#include "base/gtest_prod_util.h" 11#include "base/memory/scoped_ptr.h" 12#include "base/strings/string_piece.h" 13#include "net/base/net_export.h" 14#include "net/cert/signed_certificate_timestamp.h" 15 16// Forward declare the crypto types to avoid having to include the full 17// headers. 18#if defined(USE_OPENSSL) 19typedef struct evp_pkey_st EVP_PKEY; 20#else 21typedef struct SECKEYPublicKeyStr SECKEYPublicKey; 22#endif 23 24namespace net { 25 26namespace ct { 27struct SignedTreeHead; 28} // namespace ct 29 30// Class for verifying Signed Certificate Timestamps (SCTs) provided by a 31// specific log (whose identity is provided during construction). 32class NET_EXPORT CTLogVerifier { 33 public: 34 // Creates a new CTLogVerifier that will verify SignedCertificateTimestamps 35 // using |public_key|, which is a DER-encoded SubjectPublicKeyInfo. 36 // If |public_key| refers to an unsupported public key, returns NULL. 37 // |description| is a textual description of the log. 38 static scoped_ptr<CTLogVerifier> Create( 39 const base::StringPiece& public_key, 40 const base::StringPiece& description); 41 42 ~CTLogVerifier(); 43 44 // Returns the log's key ID (RFC6962, Section 3.2) 45 const std::string& key_id() const { return key_id_; } 46 // Returns the log's human-readable description. 47 const std::string& description() const { return description_; } 48 49 // Verifies that |sct| contains a valid signature for |entry|. 50 bool Verify(const ct::LogEntry& entry, 51 const ct::SignedCertificateTimestamp& sct); 52 53 // Verifies and sets |signed_tree_head|. If |signed_tree_head|'s signature is 54 // valid, stores it and returns true. Otherwise, discards the sth and 55 // returns false. 56 bool SetSignedTreeHead(scoped_ptr<ct::SignedTreeHead> signed_tree_head); 57 58 private: 59 FRIEND_TEST_ALL_PREFIXES(CTLogVerifierTest, VerifySignature); 60 61 CTLogVerifier(); 62 63 // Performs crypto-library specific initialization. 64 bool Init(const base::StringPiece& public_key, 65 const base::StringPiece& description); 66 67 // Performs the underlying verification using the selected public key. Note 68 // that |signature| contains the raw signature data (eg: without any 69 // DigitallySigned struct encoding). 70 bool VerifySignature(const base::StringPiece& data_to_sign, 71 const base::StringPiece& signature); 72 73 // Returns true if the signature and hash algorithms in |signature| 74 // match those of the log 75 bool SignatureParametersMatch(const ct::DigitallySigned& signature); 76 77 std::string key_id_; 78 std::string description_; 79 ct::DigitallySigned::HashAlgorithm hash_algorithm_; 80 ct::DigitallySigned::SignatureAlgorithm signature_algorithm_; 81 scoped_ptr<ct::SignedTreeHead> signed_tree_head_; 82 83#if defined(USE_OPENSSL) 84 EVP_PKEY* public_key_; 85#else 86 SECKEYPublicKey* public_key_; 87#endif 88}; 89 90} // namespace net 91 92#endif // NET_CERT_CT_LOG_VERIFIER_H_ 93