net/cert/ct_log_verifier.cc

   1 // Copyright 2013 The Chromium Authors. All rights reserved.
   2 // Use of this source code is governed by a BSD-style license that can be
   3 // found in the LICENSE file.
   4
   5 #include "net/cert/ct_log_verifier.h"
   6
   7 #include "base/logging.h"
   8 #include "net/cert/ct_serialization.h"
   9 #include "net/cert/signed_tree_head.h"
  10
  11 namespace net {
  12
  13 // static
  14 scoped_ptr<CTLogVerifier> CTLogVerifier::Create(
  15     const base::StringPiece& public_key,
  16     const base::StringPiece& description,
  17     const base::StringPiece& url) {
  18   GURL log_url(url.as_string());
  19   if (!log_url.is_valid())
  20     return nullptr;
  21   scoped_ptr<CTLogVerifier> result(new CTLogVerifier(description, log_url));
  22   if (!result->Init(public_key))
  23     result.reset();
  24   return result.Pass();
  25 }
  26
  27 CTLogVerifier::CTLogVerifier(const base::StringPiece& description,
  28                              const GURL& url)
  29     : description_(description.as_string()),
  30       url_(url),
  31       hash_algorithm_(ct::DigitallySigned::HASH_ALGO_NONE),
  32       signature_algorithm_(ct::DigitallySigned::SIG_ALGO_ANONYMOUS),
  33       public_key_(NULL) {
  34   DCHECK(url_.is_valid());
  35 }
  36
  37 bool CTLogVerifier::Verify(const ct::LogEntry& entry,
  38                            const ct::SignedCertificateTimestamp& sct) {
  39   if (sct.log_id != key_id()) {
  40     DVLOG(1) << "SCT is not signed by this log.";
  41     return false;
  42   }
  43
  44   if (!SignatureParametersMatch(sct.signature))
  45     return false;
  46
  47   std::string serialized_log_entry;
  48   if (!ct::EncodeLogEntry(entry, &serialized_log_entry)) {
  49     DVLOG(1) << "Unable to serialize entry.";
  50     return false;
  51   }
  52   std::string serialized_data;
  53   if (!ct::EncodeV1SCTSignedData(sct.timestamp, serialized_log_entry,
  54                                  sct.extensions, &serialized_data)) {
  55     DVLOG(1) << "Unable to create SCT to verify.";
  56     return false;
  57   }
  58
  59   return VerifySignature(serialized_data, sct.signature.signature_data);
  60 }
  61
  62 bool CTLogVerifier::VerifySignedTreeHead(
  63     const ct::SignedTreeHead& signed_tree_head) {
  64   if (!SignatureParametersMatch(signed_tree_head.signature))
  65     return false;
  66
  67   std::string serialized_data;
  68   ct::EncodeTreeHeadSignature(signed_tree_head, &serialized_data);
  69   if (VerifySignature(serialized_data,
  70                       signed_tree_head.signature.signature_data)) {
  71     return true;
  72   }
  73   return false;
  74 }
  75
  76 bool CTLogVerifier::SignatureParametersMatch(
  77     const ct::DigitallySigned& signature) {
  78   if (!signature.SignatureParametersMatch(hash_algorithm_,
  79                                           signature_algorithm_)) {
  80     DVLOG(1) << "Mismatched hash or signature algorithm. Hash: "
  81              << hash_algorithm_ << " vs " << signature.hash_algorithm
  82              << " Signature: " << signature_algorithm_ << " vs "
  83              << signature.signature_algorithm << ".";
  84     return false;
  85   }
  86
  87   return true;
  88 }
  89
  90 }  // namespace net