net/cert/internal/signature_algorithm.h - Issue 1218753002: Add DER parsing of AlgorithmId for signatures.

Side by Side Diff: net/cert/internal/signature_algorithm.h

Issue 1218753002: Add DER parsing of AlgorithmId for signatures. (Closed) Base URL: https://chromium.googlesource.com/chromium/src.git@master

Patch Set: Expand a comment some more... Created 5 years, 5 months ago

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Jump to:

View unified diff | Download patch

OLD	NEW
(Empty)
	1 // Copyright 2015 The Chromium Authors. All rights reserved.

	2 // Use of this source code is governed by a BSD-style license that can be

	3 // found in the LICENSE file.

	4

	5 #ifndef NET_CERT_INTERNAL_SIGNATURE_ALGORITHM_H_

	6 #define NET_CERT_INTERNAL_SIGNATURE_ALGORITHM_H_

	7

	8 #include "base/compiler_specific.h"

	9 #include "net/base/net_export.h"

	10

	11 namespace net {

	12

	13 namespace der {

	14 class Input;

	15 }

	16

	17 enum class SignatureAlgorithmId {

	18 RsaPkcs1_5,

	19 Ecdsa,

	20 };

	21

	22 enum class DigestAlgorithmId {

	23 Sha1,

	24 Sha256,

	25 Sha384,

	26 Sha512,

	27 };

	28

	29 // SignatureAlgorithm describes a signature algorithm and its parameters. This

	30 // corresponds to "AlgorithmIdentifier" from RFC 5280.

	31 struct NET_EXPORT SignatureAlgorithm {
	Ryan Sleevi 2015/06/29 16:36:29 DESIGN: It seems weird to have a structure with en DESIGN: It seems weird to have a structure with enum members that can be created in an undefined/ambiguous state. Should this be moved to a proper class-type with explicit constructors & copying? What if someone just slings a ('null') SignatureAlgorithm around, which looks like it'd be seen as RSA-PKCS#1 v1.5 with SHA-1 eroman 2015/06/29 17:05:06 I will switch this to a full blown class. Show quoted text On 2015/06/29 16:36:29, Ryan Sleevi (slow through 7-15 wrote: > DESIGN: It seems weird to have a structure with enum members that can be created > in an undefined/ambiguous state. > > Should this be moved to a proper class-type with explicit constructors & > copying? What if someone just slings a ('null') SignatureAlgorithm around, which > looks like it'd be seen as RSA-PKCS#1 v1.5 with SHA-1 I will switch this to a full blown class.
	32 // Assigns the SignatureAlgorithm by parsing a DER-encoded

	33 // "AlgorithmIdentifier" (RFC 5280).

	34 //

	35 // Returns true on success.

	36 bool AssignFromDer(const der::Input& signature_algorithm) WARN_UNUSED_RESULT;

	37

	38 // Returns true if \|*this\| is equivalent to \|other\|.

	39 bool Equals(const SignatureAlgorithm& other) const WARN_UNUSED_RESULT;

	40

	41 SignatureAlgorithmId algorithm;

	42 DigestAlgorithmId digest;

	43

	44 // TODO(eroman): Add support for RSASSA-PSS.
	Ryan Sleevi 2015/06/29 16:36:29 Is the idea being that you'll support RSASSA-PSS v Is the idea being that you'll support RSASSA-PSS via explicit sub members? What about the work for EdDSA (Curve25519), which may have similar sub-parameters beyond hash? (I can never quite follow it) I'm just curious how you see handling SignatureAlgorithms with params in a general case, with PSS being a concrete example. eroman 2015/06/29 17:05:06 Let me go ahead and add RSASSA-PSS support to this Show quoted text On 2015/06/29 16:36:29, Ryan Sleevi (slow through 7-15 wrote: > Is the idea being that you'll support RSASSA-PSS via explicit sub members? What > about the work for EdDSA (Curve25519), which may have similar sub-parameters > beyond hash? (I can never quite follow it) > > I'm just curious how you see handling SignatureAlgorithms with params in a > general case, with PSS being a concrete example. Let me go ahead and add RSASSA-PSS support to this changelist, and then we can discuss the design in more concrete terms. My thinking for RSASSA-PSS was to just inline the salt length parameter into SignatureAlgorithm, and then add an enum for RsaSsaPss. I figured for the current set of verification algorithms this approach would be sufficient. When we out-grow this and need to add more parameters for future algorithms, we could switch to using something like WebCryptoAlgorithm which allows for a separate heap-allocated parameters object. An alternate design would be to keep the DER-encoded AlgorithmIdentifier as the canonical representation. This solves needing to duplicate the representation for each algorithm. The downside is this can lead to code that re-parses the DER in several places (when validating the algorithm vs doing the verification vs comparing algorithms), which I think makes for a weaker layering.
	45 };

	46

	47 } // namespace net

	48

	49 #endif // NET_CERT_INTERNAL_SIGNATURE_ALGORITHM_H_

OLD	NEW

« no previous file with comments | « no previous file | net/cert/internal/signature_algorithm.cc » ('j') | no next file with comments »