Bug 1936278 - Prevent search mode chiclet from being dismissed when clicking in page...
[gecko.git] / security / ct / CTLogVerifier.h
blobf49dd1e874761864c8cf9453cd4c5cde5b3f911f
1 /* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
2 /* vim: set ts=8 sts=2 et sw=2 tw=80: */
3 /* This Source Code Form is subject to the terms of the Mozilla Public
4 * License, v. 2.0. If a copy of the MPL was not distributed with this
5 * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
7 #ifndef CTLogVerifier_h
8 #define CTLogVerifier_h
10 #include "CTKnownLogs.h"
11 #include "CTLog.h"
12 #include "CTUtils.h"
13 #include "SignedCertificateTimestamp.h"
14 #include "mozilla/glean/GleanMetrics.h"
15 #include "mozpkix/Input.h"
16 #include "mozpkix/Result.h"
17 #include "mozpkix/pkix.h"
18 #include "signature_cache_ffi.h"
20 namespace mozilla {
21 namespace ct {
23 // Verifies Signed Certificate Timestamps (SCTs) provided by a specific log
24 // using the public key of that log. Assumes the SCT being verified
25 // matches the log by log key ID and signature parameters (an error is returned
26 // otherwise).
27 // The verification functions return Success if the provided SCT has passed
28 // verification, ERROR_BAD_SIGNATURE if failed verification, or other result
29 // on error.
30 class CTLogVerifier {
31 public:
32 // |operatorId| The numeric ID of the log operator.
33 // |logState| "Qualified", "Usable", "ReadOnly", or "Retired".
34 // |timestamp| timestamp associated with logState.
35 CTLogVerifier(CTLogOperatorId operatorId, CTLogState logState,
36 uint64_t timestamp);
38 // Initializes the verifier with the given subjectPublicKeyInfo.
39 // |subjectPublicKeyInfo| is a DER-encoded SubjectPublicKeyInfo.
40 // An error is returned if |subjectPublicKeyInfo| refers to an unsupported
41 // public key.
42 pkix::Result Init(pkix::Input subjectPublicKeyInfo);
44 // Returns the log's key ID, which is a SHA256 hash of its public key.
45 // See RFC 6962, Section 3.2.
46 const Buffer& keyId() const { return mKeyId; }
48 CTLogOperatorId operatorId() const { return mOperatorId; }
49 CTLogState state() const { return mState; }
50 uint64_t timestamp() const { return mTimestamp; }
52 // Verifies that |sct| contains a valid signature for |entry|.
53 // |sct| must be signed by the verifier's log.
54 pkix::Result Verify(const LogEntry& entry,
55 const SignedCertificateTimestamp& sct,
56 SignatureCache* signatureCache);
58 // Returns true if the signature and hash algorithms in |signature|
59 // match those of the log.
60 bool SignatureParametersMatch(const DigitallySigned& signature);
62 private:
63 // Performs the underlying verification using the log's public key. Note
64 // that |signature| contains the raw signature data (i.e. without any
65 // DigitallySigned struct encoding).
66 // Returns Success if passed verification, ERROR_BAD_SIGNATURE if failed
67 // verification, or other result on error.
68 pkix::Result VerifySignature(pkix::Input data, pkix::Input signature,
69 SignatureCache* signatureCache);
70 pkix::Result VerifySignature(const Buffer& data, const Buffer& signature,
71 SignatureCache* signatureCache);
73 Buffer mSubjectPublicKeyInfo;
74 Buffer mKeyId;
75 DigitallySigned::SignatureAlgorithm mSignatureAlgorithm;
76 CTLogOperatorId mOperatorId;
77 CTLogState mState;
78 uint64_t mTimestamp;
81 } // namespace ct
82 } // namespace mozilla
84 #endif // CTLogVerifier_h