1 // Copyright 2013 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
5 #include "net/cert/ct_log_verifier.h"
7 #include "base/logging.h"
8 #include "net/cert/ct_serialization.h"
9 #include "net/cert/signed_tree_head.h"
14 scoped_refptr
<CTLogVerifier
> CTLogVerifier::Create(
15 const base::StringPiece
& public_key
,
16 const base::StringPiece
& description
,
17 const base::StringPiece
& url
) {
18 GURL
log_url(url
.as_string());
19 if (!log_url
.is_valid())
21 scoped_refptr
<CTLogVerifier
> result(new CTLogVerifier(description
, log_url
));
22 if (!result
->Init(public_key
))
27 CTLogVerifier::CTLogVerifier(const base::StringPiece
& description
,
29 : description_(description
.as_string()),
31 hash_algorithm_(ct::DigitallySigned::HASH_ALGO_NONE
),
32 signature_algorithm_(ct::DigitallySigned::SIG_ALGO_ANONYMOUS
),
34 DCHECK(url_
.is_valid());
37 bool CTLogVerifier::Verify(const ct::LogEntry
& entry
,
38 const ct::SignedCertificateTimestamp
& sct
) {
39 if (sct
.log_id
!= key_id()) {
40 DVLOG(1) << "SCT is not signed by this log.";
44 if (!SignatureParametersMatch(sct
.signature
))
47 std::string serialized_log_entry
;
48 if (!ct::EncodeLogEntry(entry
, &serialized_log_entry
)) {
49 DVLOG(1) << "Unable to serialize entry.";
52 std::string serialized_data
;
53 if (!ct::EncodeV1SCTSignedData(sct
.timestamp
, serialized_log_entry
,
54 sct
.extensions
, &serialized_data
)) {
55 DVLOG(1) << "Unable to create SCT to verify.";
59 return VerifySignature(serialized_data
, sct
.signature
.signature_data
);
62 bool CTLogVerifier::VerifySignedTreeHead(
63 const ct::SignedTreeHead
& signed_tree_head
) {
64 if (!SignatureParametersMatch(signed_tree_head
.signature
))
67 std::string serialized_data
;
68 ct::EncodeTreeHeadSignature(signed_tree_head
, &serialized_data
);
69 if (VerifySignature(serialized_data
,
70 signed_tree_head
.signature
.signature_data
)) {
76 bool CTLogVerifier::SignatureParametersMatch(
77 const ct::DigitallySigned
& signature
) {
78 if (!signature
.SignatureParametersMatch(hash_algorithm_
,
79 signature_algorithm_
)) {
80 DVLOG(1) << "Mismatched hash or signature algorithm. Hash: "
81 << hash_algorithm_
<< " vs " << signature
.hash_algorithm
82 << " Signature: " << signature_algorithm_
<< " vs "
83 << signature
.signature_algorithm
<< ".";