1 // Copyright 2013 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
4
5 #include "net/cert/ct_log_verifier.h"
6
7 #include "base/logging.h"
8 #include "net/cert/ct_serialization.h"
9 #include "net/cert/signed_tree_head.h"
10
11 namespace net {
12
13 // static
Create(const base::StringPiece & public_key,const base::StringPiece & description)14 scoped_ptr<CTLogVerifier> CTLogVerifier::Create(
15 const base::StringPiece& public_key,
16 const base::StringPiece& description) {
17 scoped_ptr<CTLogVerifier> result(new CTLogVerifier());
18 if (!result->Init(public_key, description))
19 result.reset();
20 return result.Pass();
21 }
22
Verify(const ct::LogEntry & entry,const ct::SignedCertificateTimestamp & sct)23 bool CTLogVerifier::Verify(const ct::LogEntry& entry,
24 const ct::SignedCertificateTimestamp& sct) {
25 if (sct.log_id != key_id()) {
26 DVLOG(1) << "SCT is not signed by this log.";
27 return false;
28 }
29
30 if (!SignatureParametersMatch(sct.signature))
31 return false;
32
33 std::string serialized_log_entry;
34 if (!ct::EncodeLogEntry(entry, &serialized_log_entry)) {
35 DVLOG(1) << "Unable to serialize entry.";
36 return false;
37 }
38 std::string serialized_data;
39 if (!ct::EncodeV1SCTSignedData(sct.timestamp, serialized_log_entry,
40 sct.extensions, &serialized_data)) {
41 DVLOG(1) << "Unable to create SCT to verify.";
42 return false;
43 }
44
45 return VerifySignature(serialized_data, sct.signature.signature_data);
46 }
47
SetSignedTreeHead(scoped_ptr<ct::SignedTreeHead> signed_tree_head)48 bool CTLogVerifier::SetSignedTreeHead(
49 scoped_ptr<ct::SignedTreeHead> signed_tree_head) {
50 if (!SignatureParametersMatch(signed_tree_head->signature))
51 return false;
52
53 std::string serialized_data;
54 ct::EncodeTreeHeadSignature(*signed_tree_head.get(), &serialized_data);
55 if (VerifySignature(serialized_data,
56 signed_tree_head->signature.signature_data)) {
57 signed_tree_head_.reset(signed_tree_head.release());
58 return true;
59 }
60 return false;
61 }
62
SignatureParametersMatch(const ct::DigitallySigned & signature)63 bool CTLogVerifier::SignatureParametersMatch(
64 const ct::DigitallySigned& signature) {
65 if (!signature.SignatureParametersMatch(hash_algorithm_,
66 signature_algorithm_)) {
67 DVLOG(1) << "Mismatched hash or signature algorithm. Hash: "
68 << hash_algorithm_ << " vs " << signature.hash_algorithm
69 << " Signature: " << signature_algorithm_ << " vs "
70 << signature.signature_algorithm << ".";
71 return false;
72 }
73
74 return true;
75 }
76
77 } // namespace net
78