1 // Copyright 2013 The Chromium Authors. All rights reserved. 2 // Use of this source code is governed by a BSD-style license that can be 3 // found in the LICENSE file. 4 5 #ifndef NET_CERT_CT_LOG_VERIFIER_H_ 6 #define NET_CERT_CT_LOG_VERIFIER_H_ 7 8 #include <string> 9 10 #include "base/gtest_prod_util.h" 11 #include "base/memory/scoped_ptr.h" 12 #include "base/strings/string_piece.h" 13 #include "net/base/net_export.h" 14 #include "net/cert/signed_certificate_timestamp.h" 15 16 // Forward declare the crypto types to avoid having to include the full 17 // headers. 18 #if defined(USE_OPENSSL) 19 typedef struct evp_pkey_st EVP_PKEY; 20 #else 21 typedef struct SECKEYPublicKeyStr SECKEYPublicKey; 22 #endif 23 24 namespace net { 25 26 // Class for verifying Signed Certificate Timestamps (SCTs) provided by a 27 // specific log (whose identity is provided during construction). 28 class NET_EXPORT CTLogVerifier { 29 public: 30 // Creates a new CTLogVerifier that will verify SignedCertificateTimestamps 31 // using |public_key|, which is a DER-encoded SubjectPublicKeyInfo. 32 // If |public_key| refers to an unsupported public key, returns NULL. 33 // |description| is a textual description of the log. 34 static scoped_ptr<CTLogVerifier> Create( 35 const base::StringPiece& public_key, 36 const base::StringPiece& description); 37 38 ~CTLogVerifier(); 39 40 // Returns the log's key ID (RFC6962, Section 3.2) key_id()41 const std::string& key_id() const { return key_id_; } 42 // Returns the log's human-readable description. description()43 const std::string& description() const { return description_; } 44 45 // Verifies that |sct| contains a valid signature for |entry|. 46 bool Verify(const ct::LogEntry& entry, 47 const ct::SignedCertificateTimestamp& sct); 48 49 private: 50 FRIEND_TEST_ALL_PREFIXES(CTLogVerifierTest, VerifySignature); 51 52 CTLogVerifier(); 53 54 // Performs crypto-library specific initialization. 55 bool Init(const base::StringPiece& public_key, 56 const base::StringPiece& description); 57 58 // Performs the underlying verification using the selected public key. Note 59 // that |signature| contains the raw signature data (eg: without any 60 // DigitallySigned struct encoding). 61 bool VerifySignature(const base::StringPiece& data_to_sign, 62 const base::StringPiece& signature); 63 64 std::string key_id_; 65 std::string description_; 66 ct::DigitallySigned::HashAlgorithm hash_algorithm_; 67 ct::DigitallySigned::SignatureAlgorithm signature_algorithm_; 68 69 #if defined(USE_OPENSSL) 70 EVP_PKEY* public_key_; 71 #else 72 SECKEYPublicKey* public_key_; 73 #endif 74 }; 75 76 } // namespace net 77 78 #endif // NET_CERT_CT_LOG_VERIFIER_H_ 79