net/cert/ct_log_verifier.cc

   1 // Copyright 2013 The Chromium Authors. All rights reserved.
   2 // Use of this source code is governed by a BSD-style license that can be
   3 // found in the LICENSE file.
   4
   5 #include "net/cert/ct_log_verifier.h"
   6
   7 #include "base/logging.h"
   8 #include "net/cert/ct_serialization.h"
   9 #include "net/cert/signed_tree_head.h"
  10
  11 namespace net {
  12
  13 // static
  14 scoped_ptr<CTLogVerifier> CTLogVerifier::Create(
  15     const base::StringPiece& public_key,
  16     const base::StringPiece& description) {
  17   scoped_ptr<CTLogVerifier> result(new CTLogVerifier());
  18   if (!result->Init(public_key, description))
  19     result.reset();
  20   return result.Pass();
  21 }
  22
  23 bool CTLogVerifier::Verify(const ct::LogEntry& entry,
  24                            const ct::SignedCertificateTimestamp& sct) {
  25   if (sct.log_id != key_id()) {
  26     DVLOG(1) << "SCT is not signed by this log.";
  27     return false;
  28   }
  29
  30   if (!SignatureParametersMatch(sct.signature))
  31     return false;
  32
  33   std::string serialized_log_entry;
  34   if (!ct::EncodeLogEntry(entry, &serialized_log_entry)) {
  35     DVLOG(1) << "Unable to serialize entry.";
  36     return false;
  37   }
  38   std::string serialized_data;
  39   if (!ct::EncodeV1SCTSignedData(sct.timestamp, serialized_log_entry,
  40                                  sct.extensions, &serialized_data)) {
  41     DVLOG(1) << "Unable to create SCT to verify.";
  42     return false;
  43   }
  44
  45   return VerifySignature(serialized_data, sct.signature.signature_data);
  46 }
  47
  48 bool CTLogVerifier::SetSignedTreeHead(
  49     scoped_ptr<ct::SignedTreeHead> signed_tree_head) {
  50   if (!SignatureParametersMatch(signed_tree_head->signature))
  51     return false;
  52
  53   std::string serialized_data;
  54   ct::EncodeTreeHeadSignature(*signed_tree_head.get(), &serialized_data);
  55   if (VerifySignature(serialized_data,
  56                       signed_tree_head->signature.signature_data)) {
  57     signed_tree_head_.reset(signed_tree_head.release());
  58     return true;
  59   }
  60   return false;
  61 }
  62
  63 bool CTLogVerifier::SignatureParametersMatch(
  64     const ct::DigitallySigned& signature) {
  65   if (!signature.SignatureParametersMatch(hash_algorithm_,
  66                                           signature_algorithm_)) {
  67     DVLOG(1) << "Mismatched hash or signature algorithm. Hash: "
  68              << hash_algorithm_ << " vs " << signature.hash_algorithm
  69              << " Signature: " << signature_algorithm_ << " vs "
  70              << signature.signature_algorithm << ".";
  71     return false;
  72   }
  73
  74   return true;
  75 }
  76
  77 }  // namespace net