net/cert/ct_log_verifier.h

   1 // Copyright 2013 The Chromium Authors. All rights reserved.
   2 // Use of this source code is governed by a BSD-style license that can be
   3 // found in the LICENSE file.
   4
   5 #ifndef NET_CERT_CT_LOG_VERIFIER_H_
   6 #define NET_CERT_CT_LOG_VERIFIER_H_
   7
   8 #include <string>
   9
  10 #include "base/gtest_prod_util.h"
  11 #include "base/memory/scoped_ptr.h"
  12 #include "base/strings/string_piece.h"
  13 #include "net/base/net_export.h"
  14 #include "net/cert/signed_certificate_timestamp.h"
  15 #include "url/gurl.h"
  16
  17 // Forward declare the crypto types to avoid having to include the full
  18 // headers.
  19 #if defined(USE_OPENSSL)
  20 typedef struct evp_pkey_st EVP_PKEY;
  21 #else
  22 typedef struct SECKEYPublicKeyStr SECKEYPublicKey;
  23 #endif
  24
  25 namespace net {
  26
  27 namespace ct {
  28 struct SignedTreeHead;
  29 }  // namespace ct
  30
  31 // Class for verifying Signed Certificate Timestamps (SCTs) provided by a
  32 // specific log (whose identity is provided during construction).
  33 class NET_EXPORT CTLogVerifier {
  34  public:
  35   // Creates a new CTLogVerifier that will verify SignedCertificateTimestamps
  36   // using |public_key|, which is a DER-encoded SubjectPublicKeyInfo.
  37   // If |public_key| refers to an unsupported public key, returns NULL.
  38   // |description| is a textual description of the log.
  39   static scoped_ptr<CTLogVerifier> Create(const base::StringPiece& public_key,
  40                                           const base::StringPiece& description,
  41                                           const base::StringPiece& url);
  42
  43   ~CTLogVerifier();
  44
  45   // Returns the log's key ID (RFC6962, Section 3.2)
  46   const std::string& key_id() const { return key_id_; }
  47   // Returns the log's human-readable description.
  48   const std::string& description() const { return description_; }
  49
  50   // Verifies that |sct| contains a valid signature for |entry|.
  51   bool Verify(const ct::LogEntry& entry,
  52               const ct::SignedCertificateTimestamp& sct);
  53
  54   // Returns true if the signature in |signed_tree_head| verifies.
  55   bool VerifySignedTreeHead(const ct::SignedTreeHead& signed_tree_head);
  56
  57  private:
  58   FRIEND_TEST_ALL_PREFIXES(CTLogVerifierTest, VerifySignature);
  59
  60   CTLogVerifier(const base::StringPiece& description, const GURL& url);
  61
  62   // Performs crypto-library specific initialization.
  63   bool Init(const base::StringPiece& public_key);
  64
  65   // Performs the underlying verification using the selected public key. Note
  66   // that |signature| contains the raw signature data (eg: without any
  67   // DigitallySigned struct encoding).
  68   bool VerifySignature(const base::StringPiece& data_to_sign,
  69                        const base::StringPiece& signature);
  70
  71   // Returns true if the signature and hash algorithms in |signature|
  72   // match those of the log
  73   bool SignatureParametersMatch(const ct::DigitallySigned& signature);
  74
  75   std::string key_id_;
  76   std::string description_;
  77   GURL url_;
  78   ct::DigitallySigned::HashAlgorithm hash_algorithm_;
  79   ct::DigitallySigned::SignatureAlgorithm signature_algorithm_;
  80
  81 #if defined(USE_OPENSSL)
  82   EVP_PKEY* public_key_;
  83 #else
  84   SECKEYPublicKey* public_key_;
  85 #endif
  86 };
  87
  88 }  // namespace net
  89
  90 #endif  // NET_CERT_CT_LOG_VERIFIER_H_