| // Copyright 2015 The Chromium Authors. All rights reserved. |
| // Use of this source code is governed by a BSD-style license that can be |
| // found in the LICENSE file. |
| |
| #ifndef NET_SSL_TOKEN_BINDING_H_ |
| #define NET_SSL_TOKEN_BINDING_H_ |
| |
| #include <string> |
| #include <vector> |
| |
| #include "base/strings/string_piece.h" |
| #include "crypto/ec_private_key.h" |
| #include "net/base/net_errors.h" |
| #include "net/base/net_export.h" |
| |
| namespace net { |
| |
| enum class TokenBindingType { |
| PROVIDED = 0, |
| REFERRED = 1, |
| }; |
| |
| // Takes an exported keying material value |ekm| from the TLS layer and a token |
| // binding key |key| and signs the EKM, putting the signature in |*out|. Returns |
| // true on success or false if there's an error in the signing operations. |
| bool SignTokenBindingEkm(base::StringPiece ekm, |
| crypto::ECPrivateKey* key, |
| std::vector<uint8_t>* out); |
| |
| // Given a vector of serialized TokenBinding structs (as defined in |
| // draft-ietf-tokbind-protocol-04), this function combines them to form the |
| // serialized TokenBindingMessage struct in |*out|. This function returns a net |
| // error. |
| // |
| // struct { |
| // TokenBinding tokenbindings<0..2^16-1>; |
| // } TokenBindingMessage; |
| Error BuildTokenBindingMessageFromTokenBindings( |
| const std::vector<base::StringPiece>& token_bindings, |
| std::string* out); |
| |
| // Builds a TokenBinding struct of type |type| with a TokenBindingID created |
| // from |*key| and a signature of |ekm| using |*key| to sign. |
| // |
| // enum { |
| // rsa2048_pkcs1.5(0), rsa2048_pss(1), ecdsap256(2), (255) |
| // } TokenBindingKeyParameters; |
| // |
| // struct { |
| // opaque modulus<1..2^16-1>; |
| // opaque publicexponent<1..2^8-1>; |
| // } RSAPublicKey; |
| // |
| // struct { |
| // opaque point <1..2^8-1>; |
| // } ECPoint; |
| // |
| // enum { |
| // provided_token_binding(0), referred_token_binding(1), (255) |
| // } TokenBindingType; |
| // |
| // struct { |
| // TokenBindingType tokenbinding_type; |
| // TokenBindingKeyParameters key_parameters; |
| // select (key_parameters) { |
| // case rsa2048_pkcs1.5: |
| // case rsa2048_pss: |
| // RSAPublicKey rsapubkey; |
| // case ecdsap256: |
| // ECPoint point; |
| // } |
| // } TokenBindingID; |
| // |
| // struct { |
| // TokenBindingID tokenbindingid; |
| // opaque signature<0..2^16-1>;// Signature over the exported keying |
| // // material value |
| // Extension extensions<0..2^16-1>; |
| // } TokenBinding; |
| Error BuildTokenBinding(TokenBindingType type, |
| crypto::ECPrivateKey* key, |
| const std::vector<uint8_t>& ekm, |
| std::string* out); |
| |
| // Represents a parsed TokenBinding from a TokenBindingMessage. |
| struct TokenBinding { |
| TokenBinding(); |
| |
| TokenBindingType type; |
| std::string ec_point; |
| std::string signature; |
| }; |
| |
| // Given a TokenBindingMessage, parses the TokenBinding structs from it, putting |
| // them into |*token_bindings|. If there is an error parsing the |
| // TokenBindingMessage or the key parameter for any TokenBinding in the |
| // TokenBindingMessage is not ecdsap256, then this function returns false. |
| NET_EXPORT_PRIVATE bool ParseTokenBindingMessage( |
| base::StringPiece token_binding_message, |
| std::vector<TokenBinding>* token_bindings); |
| |
| // Takes an ECPoint |ec_point| from a TokenBindingID and |signature| from a |
| // TokenBinding and verifies that |signature| is the signature of |ekm| using |
| // |ec_point| as the public key. Returns true if the signature verifies and |
| // false if it doesn't or some other error occurs in verification. This function |
| // is only provided for testing. |
| NET_EXPORT_PRIVATE bool VerifyEKMSignature(base::StringPiece ec_point, |
| base::StringPiece signature, |
| base::StringPiece ekm); |
| |
| } // namespace net |
| |
| #endif // NET_SSL_TOKEN_BINDING_H_ |