1 /* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
2 /* vim: set ts=8 sts=2 et sw=2 tw=80: */
3 /* This Source Code Form is subject to the terms of the Mozilla Public
4 * License, v. 2.0. If a copy of the MPL was not distributed with this
5 * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
7 #ifndef CTLogVerifier_h
8 #define CTLogVerifier_h
10 #include "CTKnownLogs.h"
13 #include "SignedCertificateTimestamp.h"
14 #include "mozilla/glean/GleanMetrics.h"
15 #include "mozpkix/Input.h"
16 #include "mozpkix/Result.h"
17 #include "mozpkix/pkix.h"
18 #include "signature_cache_ffi.h"
23 // Verifies Signed Certificate Timestamps (SCTs) provided by a specific log
24 // using the public key of that log. Assumes the SCT being verified
25 // matches the log by log key ID and signature parameters (an error is returned
27 // The verification functions return Success if the provided SCT has passed
28 // verification, ERROR_BAD_SIGNATURE if failed verification, or other result
32 // |operatorId| The numeric ID of the log operator.
33 // |logState| "Qualified", "Usable", "ReadOnly", or "Retired".
34 // |timestamp| timestamp associated with logState.
35 CTLogVerifier(CTLogOperatorId operatorId
, CTLogState logState
,
38 // Initializes the verifier with the given subjectPublicKeyInfo.
39 // |subjectPublicKeyInfo| is a DER-encoded SubjectPublicKeyInfo.
40 // An error is returned if |subjectPublicKeyInfo| refers to an unsupported
42 pkix::Result
Init(pkix::Input subjectPublicKeyInfo
);
44 // Returns the log's key ID, which is a SHA256 hash of its public key.
45 // See RFC 6962, Section 3.2.
46 const Buffer
& keyId() const { return mKeyId
; }
48 CTLogOperatorId
operatorId() const { return mOperatorId
; }
49 CTLogState
state() const { return mState
; }
50 uint64_t timestamp() const { return mTimestamp
; }
52 // Verifies that |sct| contains a valid signature for |entry|.
53 // |sct| must be signed by the verifier's log.
54 pkix::Result
Verify(const LogEntry
& entry
,
55 const SignedCertificateTimestamp
& sct
,
56 SignatureCache
* signatureCache
);
58 // Returns true if the signature and hash algorithms in |signature|
59 // match those of the log.
60 bool SignatureParametersMatch(const DigitallySigned
& signature
);
63 // Performs the underlying verification using the log's public key. Note
64 // that |signature| contains the raw signature data (i.e. without any
65 // DigitallySigned struct encoding).
66 // Returns Success if passed verification, ERROR_BAD_SIGNATURE if failed
67 // verification, or other result on error.
68 pkix::Result
VerifySignature(pkix::Input data
, pkix::Input signature
,
69 SignatureCache
* signatureCache
);
70 pkix::Result
VerifySignature(const Buffer
& data
, const Buffer
& signature
,
71 SignatureCache
* signatureCache
);
73 Buffer mSubjectPublicKeyInfo
;
75 DigitallySigned::SignatureAlgorithm mSignatureAlgorithm
;
76 CTLogOperatorId mOperatorId
;
82 } // namespace mozilla
84 #endif // CTLogVerifier_h