• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1 // Copyright 2013 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
4 
5 #include "net/cert/ct_log_verifier.h"
6 
7 #include "base/logging.h"
8 #include "net/cert/ct_serialization.h"
9 #include "net/cert/signed_tree_head.h"
10 
11 namespace net {
12 
13 // static
Create(const base::StringPiece & public_key,const base::StringPiece & description)14 scoped_ptr<CTLogVerifier> CTLogVerifier::Create(
15     const base::StringPiece& public_key,
16     const base::StringPiece& description) {
17   scoped_ptr<CTLogVerifier> result(new CTLogVerifier());
18   if (!result->Init(public_key, description))
19     result.reset();
20   return result.Pass();
21 }
22 
Verify(const ct::LogEntry & entry,const ct::SignedCertificateTimestamp & sct)23 bool CTLogVerifier::Verify(const ct::LogEntry& entry,
24                            const ct::SignedCertificateTimestamp& sct) {
25   if (sct.log_id != key_id()) {
26     DVLOG(1) << "SCT is not signed by this log.";
27     return false;
28   }
29 
30   if (!SignatureParametersMatch(sct.signature))
31     return false;
32 
33   std::string serialized_log_entry;
34   if (!ct::EncodeLogEntry(entry, &serialized_log_entry)) {
35     DVLOG(1) << "Unable to serialize entry.";
36     return false;
37   }
38   std::string serialized_data;
39   if (!ct::EncodeV1SCTSignedData(sct.timestamp, serialized_log_entry,
40                                  sct.extensions, &serialized_data)) {
41     DVLOG(1) << "Unable to create SCT to verify.";
42     return false;
43   }
44 
45   return VerifySignature(serialized_data, sct.signature.signature_data);
46 }
47 
SetSignedTreeHead(scoped_ptr<ct::SignedTreeHead> signed_tree_head)48 bool CTLogVerifier::SetSignedTreeHead(
49     scoped_ptr<ct::SignedTreeHead> signed_tree_head) {
50   if (!SignatureParametersMatch(signed_tree_head->signature))
51     return false;
52 
53   std::string serialized_data;
54   ct::EncodeTreeHeadSignature(*signed_tree_head.get(), &serialized_data);
55   if (VerifySignature(serialized_data,
56                       signed_tree_head->signature.signature_data)) {
57     signed_tree_head_.reset(signed_tree_head.release());
58     return true;
59   }
60   return false;
61 }
62 
SignatureParametersMatch(const ct::DigitallySigned & signature)63 bool CTLogVerifier::SignatureParametersMatch(
64     const ct::DigitallySigned& signature) {
65   if (!signature.SignatureParametersMatch(hash_algorithm_,
66                                           signature_algorithm_)) {
67     DVLOG(1) << "Mismatched hash or signature algorithm. Hash: "
68              << hash_algorithm_ << " vs " << signature.hash_algorithm
69              << " Signature: " << signature_algorithm_ << " vs "
70              << signature.signature_algorithm << ".";
71     return false;
72   }
73 
74   return true;
75 }
76 
77 }  // namespace net
78