Index: net/ssl/token_binding.h |
diff --git a/net/ssl/token_binding.h b/net/ssl/token_binding.h |
new file mode 100644 |
index 0000000000000000000000000000000000000000..5eb726ca58b4ba1537a592033acf9e3abca83281 |
--- /dev/null |
+++ b/net/ssl/token_binding.h |
@@ -0,0 +1,90 @@ |
+// Copyright 2015 The Chromium Authors. All rights reserved. |
+// Use of this source code is governed by a BSD-style license that can be |
+// found in the LICENSE file. |
+ |
+#ifndef NET_SSL_TOKEN_BINDING_H_ |
+#define NET_SSL_TOKEN_BINDING_H_ |
+ |
+#include <string> |
+#include <vector> |
+ |
+#include "crypto/ec_private_key.h" |
+ |
+namespace net { |
+ |
+// Given a vector of serialized TokenBinding structs (as defined in |
+// draft-ietf-tokbind-protocol-02), this function combines them to form the |
+// serialized TokenBindingMessage struct in |*out|. This function returns a net |
+// error. |
davidben
2015/11/18 20:49:00
You can return a net::Error to make that clearer s
nharper
2015/12/04 01:42:20
Done.
|
+// |
+// struct { |
+// TokenBinding tokenbindings<0..2^16-1>; |
+// } TokenBindingMessage; |
+int BuildTokenBindingMessageFromTokenBindings( |
+ const std::vector<std::string>& token_bindings, |
+ std::string* out); |
+ |
+// Builds a TokenBinding struct with a provided TokenBindingID created from |
+// |*key| and a signature of |ekm| using |*key| to sign. |
+// |
+// enum { |
+// rsa2048_pkcs1.5(0), rsa2048_pss(1), ecdsap256(2), (255) |
+// } TokenBindingKeyParameters; |
+// |
+// struct { |
+// opaque modulus<1..2^16-1>; |
+// opaque publicexponent<1..2^8-1>; |
+// } RSAPublicKey; |
+// |
+// struct { |
+// opaque point <1..2^8-1>; |
+// } ECPoint; |
+// |
+// enum { |
+// provided_token_binding(0), referred_token_binding(1), (255) |
davidben
2015/11/18 20:49:01
This is somewhat less related, but what exactly is
nharper
2015/12/04 01:42:20
The type (provided vs referred) is for the federat
|
+// } TokenBindingType; |
+// |
+// struct { |
+// TokenBindingType tokenbinding_type; |
+// TokenBindingKeyParameters key_parameters; |
+// select (key_parameters) { |
+// case rsa2048_pkcs1.5: |
+// case rsa2048_pss: |
+// RSAPublicKey rsapubkey; |
+// case ecdsap256: |
+// ECPoint point; |
+// } |
+// } TokenBindingID; |
+// |
+// struct { |
+// TokenBindingID tokenbindingid; |
+// opaque signature<0..2^16-1>;// Signature over the exported keying |
+// // material value |
+// Extension extensions<0..2^16-1>; |
+// } TokenBinding; |
+int BuildProvidedTokenBinding(crypto::ECPrivateKey* key, |
+ const std::vector<uint8_t>& ekm, |
+ std::string* out); |
+ |
+// Given a TokenBindingMessage, parses the first TokenBinding from it, |
+// extracts the ECPoint of the TokenBindingID into |*ec_point|, and extracts the |
+// signature of the EKM value into |*signature|. It also verifies that the first |
+// TokenBinding is a provided Token Binding, and that the key parameters is |
+// ecdsap256. This function returns whether the message was able to be parsed |
+// successfully. |
+bool ParseTokenBindingMessage(const std::string& token_binding_message, |
davidben
2015/11/18 20:49:01
This doesn't appear to have any callers.
nharper
2015/12/04 01:42:20
This is called in url_request_unittest.cc
|
+ std::string* ec_point, |
+ std::string* signature); |
davidben
2015/11/18 20:49:01
StringPiece to avoid all the copies? This function
nharper
2015/12/04 01:42:20
Done.
|
+ |
+// Takes an ECPoint |ec_point| from a TokenBindingID and |signature| from a |
+// TokenBinding and verifies that |signature| is the signature of |ekm| using |
+// |ec_point| as the public key. Returns true if the signature verifies and |
+// false if it doesn't or some other error occurs in verification. This function |
+// is only provided for testing. |
+bool VerifyEKMSignature(const std::string& ec_point, |
davidben
2015/11/18 20:49:01
This doesn't appear to have any callers.
nharper
2015/12/04 01:42:20
This is called in url_request_unittest.cc
|
+ const std::string& signature, |
+ const std::string& ekm); |
+ |
+} // namespace net |
+ |
+#endif // NET_SSL_TOKEN_BINDING_H_ |