OLD | NEW |
(Empty) | |
| 1 // Copyright 2015 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. |
| 4 |
| 5 #ifndef NET_SSL_TOKEN_BINDING_H_ |
| 6 #define NET_SSL_TOKEN_BINDING_H_ |
| 7 |
| 8 #include <string> |
| 9 #include <vector> |
| 10 |
| 11 #include "base/strings/string_piece.h" |
| 12 #include "crypto/ec_private_key.h" |
| 13 #include "net/base/net_errors.h" |
| 14 #include "net/base/net_export.h" |
| 15 |
| 16 namespace net { |
| 17 |
| 18 // Given a vector of serialized TokenBinding structs (as defined in |
| 19 // draft-ietf-tokbind-protocol-02), this function combines them to form the |
| 20 // serialized TokenBindingMessage struct in |*out|. This function returns a net |
| 21 // error. |
| 22 // |
| 23 // struct { |
| 24 // TokenBinding tokenbindings<0..2^16-1>; |
| 25 // } TokenBindingMessage; |
| 26 Error BuildTokenBindingMessageFromTokenBindings( |
| 27 const std::vector<base::StringPiece>& token_bindings, |
| 28 std::string* out); |
| 29 |
| 30 // Builds a TokenBinding struct with a provided TokenBindingID created from |
| 31 // |*key| and a signature of |ekm| using |*key| to sign. |
| 32 // |
| 33 // enum { |
| 34 // rsa2048_pkcs1.5(0), rsa2048_pss(1), ecdsap256(2), (255) |
| 35 // } TokenBindingKeyParameters; |
| 36 // |
| 37 // struct { |
| 38 // opaque modulus<1..2^16-1>; |
| 39 // opaque publicexponent<1..2^8-1>; |
| 40 // } RSAPublicKey; |
| 41 // |
| 42 // struct { |
| 43 // opaque point <1..2^8-1>; |
| 44 // } ECPoint; |
| 45 // |
| 46 // enum { |
| 47 // provided_token_binding(0), referred_token_binding(1), (255) |
| 48 // } TokenBindingType; |
| 49 // |
| 50 // struct { |
| 51 // TokenBindingType tokenbinding_type; |
| 52 // TokenBindingKeyParameters key_parameters; |
| 53 // select (key_parameters) { |
| 54 // case rsa2048_pkcs1.5: |
| 55 // case rsa2048_pss: |
| 56 // RSAPublicKey rsapubkey; |
| 57 // case ecdsap256: |
| 58 // ECPoint point; |
| 59 // } |
| 60 // } TokenBindingID; |
| 61 // |
| 62 // struct { |
| 63 // TokenBindingID tokenbindingid; |
| 64 // opaque signature<0..2^16-1>;// Signature over the exported keying |
| 65 // // material value |
| 66 // Extension extensions<0..2^16-1>; |
| 67 // } TokenBinding; |
| 68 Error BuildProvidedTokenBinding(crypto::ECPrivateKey* key, |
| 69 const std::vector<uint8_t>& ekm, |
| 70 std::string* out); |
| 71 |
| 72 // Given a TokenBindingMessage, parses the first TokenBinding from it, |
| 73 // extracts the ECPoint of the TokenBindingID into |*ec_point|, and extracts the |
| 74 // signature of the EKM value into |*signature|. It also verifies that the first |
| 75 // TokenBinding is a provided Token Binding, and that the key parameters is |
| 76 // ecdsap256. This function returns whether the message was able to be parsed |
| 77 // successfully. |
| 78 NET_EXPORT_PRIVATE bool ParseTokenBindingMessage( |
| 79 base::StringPiece token_binding_message, |
| 80 base::StringPiece* ec_point, |
| 81 base::StringPiece* signature); |
| 82 |
| 83 // Takes an ECPoint |ec_point| from a TokenBindingID and |signature| from a |
| 84 // TokenBinding and verifies that |signature| is the signature of |ekm| using |
| 85 // |ec_point| as the public key. Returns true if the signature verifies and |
| 86 // false if it doesn't or some other error occurs in verification. This function |
| 87 // is only provided for testing. |
| 88 NET_EXPORT_PRIVATE bool VerifyEKMSignature(base::StringPiece ec_point, |
| 89 base::StringPiece signature, |
| 90 base::StringPiece ekm); |
| 91 |
| 92 } // namespace net |
| 93 |
| 94 #endif // NET_SSL_TOKEN_BINDING_H_ |
OLD | NEW |