Pin Chrome's shortcut to the Win10 Start menu on install and OS upgrade.
[chromium-blink-merge.git] / net / cert / ct_log_verifier.h
blob0a9b3eff03d8aa9af62ea68f5085bcc1259a4ead
1 // Copyright 2013 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
5 #ifndef NET_CERT_CT_LOG_VERIFIER_H_
6 #define NET_CERT_CT_LOG_VERIFIER_H_
8 #include <string>
10 #include "base/gtest_prod_util.h"
11 #include "base/memory/ref_counted.h"
12 #include "base/strings/string_piece.h"
13 #include "net/base/net_export.h"
14 #include "net/cert/signed_certificate_timestamp.h"
15 #include "url/gurl.h"
17 // Forward declare the crypto types to avoid having to include the full
18 // headers.
19 #if defined(USE_OPENSSL)
20 typedef struct evp_pkey_st EVP_PKEY;
21 #else
22 typedef struct SECKEYPublicKeyStr SECKEYPublicKey;
23 #endif
25 namespace net {
27 namespace ct {
28 struct SignedTreeHead;
29 } // namespace ct
31 // Class for verifying Signed Certificate Timestamps (SCTs) provided by a
32 // specific log (whose identity is provided during construction).
33 class NET_EXPORT CTLogVerifier
34 : public base::RefCountedThreadSafe<CTLogVerifier> {
35 public:
36 // Creates a new CTLogVerifier that will verify SignedCertificateTimestamps
37 // using |public_key|, which is a DER-encoded SubjectPublicKeyInfo.
38 // If |public_key| refers to an unsupported public key, returns NULL.
39 // |description| is a textual description of the log.
40 static scoped_refptr<CTLogVerifier> Create(
41 const base::StringPiece& public_key,
42 const base::StringPiece& description,
43 const base::StringPiece& url);
45 // Returns the log's key ID (RFC6962, Section 3.2)
46 const std::string& key_id() const { return key_id_; }
47 // Returns the log's human-readable description.
48 const std::string& description() const { return description_; }
49 // Returns the log's URL
50 const GURL& url() const { return url_; }
52 // Verifies that |sct| contains a valid signature for |entry|.
53 bool Verify(const ct::LogEntry& entry,
54 const ct::SignedCertificateTimestamp& sct);
56 // Returns true if the signature in |signed_tree_head| verifies.
57 bool VerifySignedTreeHead(const ct::SignedTreeHead& signed_tree_head);
59 private:
60 FRIEND_TEST_ALL_PREFIXES(CTLogVerifierTest, VerifySignature);
61 friend class base::RefCountedThreadSafe<CTLogVerifier>;
63 CTLogVerifier(const base::StringPiece& description, const GURL& url);
64 ~CTLogVerifier();
66 // Performs crypto-library specific initialization.
67 bool Init(const base::StringPiece& public_key);
69 // Performs the underlying verification using the selected public key. Note
70 // that |signature| contains the raw signature data (eg: without any
71 // DigitallySigned struct encoding).
72 bool VerifySignature(const base::StringPiece& data_to_sign,
73 const base::StringPiece& signature);
75 // Returns true if the signature and hash algorithms in |signature|
76 // match those of the log
77 bool SignatureParametersMatch(const ct::DigitallySigned& signature);
79 std::string key_id_;
80 std::string description_;
81 GURL url_;
82 ct::DigitallySigned::HashAlgorithm hash_algorithm_;
83 ct::DigitallySigned::SignatureAlgorithm signature_algorithm_;
85 #if defined(USE_OPENSSL)
86 EVP_PKEY* public_key_;
87 #else
88 SECKEYPublicKey* public_key_;
89 #endif
92 } // namespace net
94 #endif // NET_CERT_CT_LOG_VERIFIER_H_