blob: 38e0930eb6594ec60c77e01fc4dd77b05e32c8cf [file] [log] [blame]
// Copyright 2013 The Chromium Authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
#include <string>
#include "base/gtest_prod_util.h"
#include "base/memory/scoped_ptr.h"
#include "base/strings/string_piece.h"
#include "net/base/net_export.h"
#include "net/cert/signed_certificate_timestamp.h"
// Forward declare the crypto types to avoid having to include the full
// headers.
#if defined(USE_OPENSSL)
typedef struct evp_pkey_st EVP_PKEY;
typedef struct SECKEYPublicKeyStr SECKEYPublicKey;
namespace net {
namespace ct {
struct SignedTreeHead;
} // namespace ct
// Class for verifying Signed Certificate Timestamps (SCTs) provided by a
// specific log (whose identity is provided during construction).
class NET_EXPORT CTLogVerifier {
// Creates a new CTLogVerifier that will verify SignedCertificateTimestamps
// using |public_key|, which is a DER-encoded SubjectPublicKeyInfo.
// If |public_key| refers to an unsupported public key, returns NULL.
// |description| is a textual description of the log.
static scoped_ptr<CTLogVerifier> Create(
const base::StringPiece& public_key,
const base::StringPiece& description);
// Returns the log's key ID (RFC6962, Section 3.2)
const std::string& key_id() const { return key_id_; }
// Returns the log's human-readable description.
const std::string& description() const { return description_; }
// Verifies that |sct| contains a valid signature for |entry|.
bool Verify(const ct::LogEntry& entry,
const ct::SignedCertificateTimestamp& sct);
// Verifies and sets |signed_tree_head|. If |signed_tree_head|'s signature is
// valid, stores it and returns true. Otherwise, discards the sth and
// returns false.
bool SetSignedTreeHead(scoped_ptr<ct::SignedTreeHead> signed_tree_head);
FRIEND_TEST_ALL_PREFIXES(CTLogVerifierTest, VerifySignature);
// Performs crypto-library specific initialization.
bool Init(const base::StringPiece& public_key,
const base::StringPiece& description);
// Performs the underlying verification using the selected public key. Note
// that |signature| contains the raw signature data (eg: without any
// DigitallySigned struct encoding).
bool VerifySignature(const base::StringPiece& data_to_sign,
const base::StringPiece& signature);
// Returns true if the signature and hash algorithms in |signature|
// match those of the log
bool SignatureParametersMatch(const ct::DigitallySigned& signature);
std::string key_id_;
std::string description_;
ct::DigitallySigned::HashAlgorithm hash_algorithm_;
ct::DigitallySigned::SignatureAlgorithm signature_algorithm_;
scoped_ptr<ct::SignedTreeHead> signed_tree_head_;
#if defined(USE_OPENSSL)
EVP_PKEY* public_key_;
SECKEYPublicKey* public_key_;
} // namespace net