net/cert/ct_log_verifier.h

   1 // Copyright 2013 The Chromium Authors. All rights reserved.
   2 // Use of this source code is governed by a BSD-style license that can be
   3 // found in the LICENSE file.
   4
   5 #ifndef NET_CERT_CT_LOG_VERIFIER_H_
   6 #define NET_CERT_CT_LOG_VERIFIER_H_
   7
   8 #include <string>
   9
  10 #include "base/gtest_prod_util.h"
  11 #include "base/memory/ref_counted.h"
  12 #include "base/strings/string_piece.h"
  13 #include "net/base/net_export.h"
  14 #include "net/cert/signed_certificate_timestamp.h"
  15 #include "url/gurl.h"
  16
  17 // Forward declare the crypto types to avoid having to include the full
  18 // headers.
  19 #if defined(USE_OPENSSL)
  20 typedef struct evp_pkey_st EVP_PKEY;
  21 #else
  22 typedef struct SECKEYPublicKeyStr SECKEYPublicKey;
  23 #endif
  24
  25 namespace net {
  26
  27 namespace ct {
  28 struct SignedTreeHead;
  29 }  // namespace ct
  30
  31 // Class for verifying Signed Certificate Timestamps (SCTs) provided by a
  32 // specific log (whose identity is provided during construction).
  33 class NET_EXPORT CTLogVerifier
  34     : public base::RefCountedThreadSafe<CTLogVerifier> {
  35  public:
  36   // Creates a new CTLogVerifier that will verify SignedCertificateTimestamps
  37   // using |public_key|, which is a DER-encoded SubjectPublicKeyInfo.
  38   // If |public_key| refers to an unsupported public key, returns NULL.
  39   // |description| is a textual description of the log.
  40   static scoped_refptr<CTLogVerifier> Create(
  41       const base::StringPiece& public_key,
  42       const base::StringPiece& description,
  43       const base::StringPiece& url);
  44
  45   // Returns the log's key ID (RFC6962, Section 3.2)
  46   const std::string& key_id() const { return key_id_; }
  47   // Returns the log's human-readable description.
  48   const std::string& description() const { return description_; }
  49   // Returns the log's URL
  50   const GURL& url() const { return url_; }
  51
  52   // Verifies that |sct| contains a valid signature for |entry|.
  53   bool Verify(const ct::LogEntry& entry,
  54               const ct::SignedCertificateTimestamp& sct);
  55
  56   // Returns true if the signature in |signed_tree_head| verifies.
  57   bool VerifySignedTreeHead(const ct::SignedTreeHead& signed_tree_head);
  58
  59  private:
  60   FRIEND_TEST_ALL_PREFIXES(CTLogVerifierTest, VerifySignature);
  61   friend class base::RefCountedThreadSafe<CTLogVerifier>;
  62
  63   CTLogVerifier(const base::StringPiece& description, const GURL& url);
  64   ~CTLogVerifier();
  65
  66   // Performs crypto-library specific initialization.
  67   bool Init(const base::StringPiece& public_key);
  68
  69   // Performs the underlying verification using the selected public key. Note
  70   // that |signature| contains the raw signature data (eg: without any
  71   // DigitallySigned struct encoding).
  72   bool VerifySignature(const base::StringPiece& data_to_sign,
  73                        const base::StringPiece& signature);
  74
  75   // Returns true if the signature and hash algorithms in |signature|
  76   // match those of the log
  77   bool SignatureParametersMatch(const ct::DigitallySigned& signature);
  78
  79   std::string key_id_;
  80   std::string description_;
  81   GURL url_;
  82   ct::DigitallySigned::HashAlgorithm hash_algorithm_;
  83   ct::DigitallySigned::SignatureAlgorithm signature_algorithm_;
  84
  85 #if defined(USE_OPENSSL)
  86   EVP_PKEY* public_key_;
  87 #else
  88   SECKEYPublicKey* public_key_;
  89 #endif
  90 };
  91
  92 }  // namespace net
  93
  94 #endif  // NET_CERT_CT_LOG_VERIFIER_H_