Set Token-Binding HTTP header

net/ssl/token_binding.h

+// Copyright 2015 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#ifndef NET_SSL_TOKEN_BINDING_H_
+#define NET_SSL_TOKEN_BINDING_H_
+
+#include <string>
+#include <vector>
+
+#include "crypto/ec_private_key.h"
+
+namespace net {
+
+// Given a vector of serialized TokenBinding structs (as defined in
+// draft-ietf-tokbind-protocol-02), this function combines them to form the
+// serialized TokenBindingMessage struct in |*out|. This function returns a net
+// error.

[davidben, 2015/11/18 20:49:00]

You can return a net::Error to make that clearer since you're not muxing in an
output size with it.

[nharper, 2015/12/04 01:42:20]

Done.

+//
+// struct {
+//     TokenBinding tokenbindings<0..2^16-1>;
+// } TokenBindingMessage;
+int BuildTokenBindingMessageFromTokenBindings(
+    const std::vector<std::string>& token_bindings,
+    std::string* out);
+
+// Builds a TokenBinding struct with a provided TokenBindingID created from
+// |*key| and a signature of |ekm| using |*key| to sign.
+//
+// enum {
+//     rsa2048_pkcs1.5(0), rsa2048_pss(1), ecdsap256(2), (255)
+// } TokenBindingKeyParameters;
+//
+// struct {
+//     opaque modulus<1..2^16-1>;
+//     opaque publicexponent<1..2^8-1>;
+// } RSAPublicKey;
+//
+// struct {
+//     opaque point <1..2^8-1>;
+// } ECPoint;
+//
+// enum {
+//     provided_token_binding(0), referred_token_binding(1), (255)

[davidben, 2015/11/18 20:49:01]

This is somewhat less related, but what exactly is this provided vs. referred
thing supposed to be for? Whatever it is, we don't actually sign the type.

[nharper, 2015/12/04 01:42:20]

The type (provided vs referred) is for the federated use case (which I haven't
implemented yet). A provided token binding on a connection between client and
server A is when the client uses its keypair for server A to sign, while a
referred token binding is when the client connects to server B and uses its
keypair for server A (as well as sending a provided token binding using the
keypair for B). This is so that server B can generate a token containing the
public key for server A that the client will present to server A.

In terms of not signing the type, I can't think of a danger of that (so long as
the exported keying material can't be replicated on another connection, but if
that's the case, then there are much larger protocol problems with token
binding).

+// } TokenBindingType;
+//
+// struct {
+//     TokenBindingType tokenbinding_type;
+//     TokenBindingKeyParameters key_parameters;
+//     select (key_parameters) {
+//         case rsa2048_pkcs1.5:
+//         case rsa2048_pss:
+//             RSAPublicKey rsapubkey;
+//         case ecdsap256:
+//             ECPoint point;
+//     }
+// } TokenBindingID;
+//
+// struct {
+//     TokenBindingID tokenbindingid;
+//     opaque signature<0..2^16-1>;// Signature over the exported keying
+//                                 // material value
+//     Extension extensions<0..2^16-1>;
+// } TokenBinding;
+int BuildProvidedTokenBinding(crypto::ECPrivateKey* key,
+                              const std::vector<uint8_t>& ekm,
+                              std::string* out);
+
+// Given a TokenBindingMessage, parses the first TokenBinding from it,
+// extracts the ECPoint of the TokenBindingID into |*ec_point|, and extracts the
+// signature of the EKM value into |*signature|. It also verifies that the first
+// TokenBinding is a provided Token Binding, and that the key parameters is
+// ecdsap256. This function returns whether the message was able to be parsed
+// successfully.
+bool ParseTokenBindingMessage(const std::string& token_binding_message,

[davidben, 2015/11/18 20:49:01]

This doesn't appear to have any callers.

[nharper, 2015/12/04 01:42:20]

This is called in url_request_unittest.cc

+                              std::string* ec_point,
+                              std::string* signature);

[davidben, 2015/11/18 20:49:01]

StringPiece to avoid all the copies? This function could just take in
StringPiece and spit out StringPieces

[nharper, 2015/12/04 01:42:20]

Done.

+
+// Takes an ECPoint |ec_point| from a TokenBindingID and |signature| from a
+// TokenBinding and verifies that |signature| is the signature of |ekm| using
+// |ec_point| as the public key. Returns true if the signature verifies and
+// false if it doesn't or some other error occurs in verification. This function
+// is only provided for testing.
+bool VerifyEKMSignature(const std::string& ec_point,

[davidben, 2015/11/18 20:49:01]

This doesn't appear to have any callers.

[nharper, 2015/12/04 01:42:20]

This is called in url_request_unittest.cc

+                        const std::string& signature,
+                        const std::string& ekm);
+
+}  // namespace net
+
+#endif  // NET_SSL_TOKEN_BINDING_H_