Set Token-Binding HTTP header

net/ssl/token_binding.h

Index: net/ssl/token_binding.h
diff --git a/net/ssl/token_binding.h b/net/ssl/token_binding.h
new file mode 100644
index 0000000000000000000000000000000000000000..5ae04c53d708b4f62c543e8dc53dd89cb5fb945d
--- /dev/null
+++ b/net/ssl/token_binding.h
@@ -0,0 +1,94 @@
+// Copyright 2015 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#ifndef NET_SSL_TOKEN_BINDING_H_
+#define NET_SSL_TOKEN_BINDING_H_
+
+#include <string>
+#include <vector>
+
+#include "base/strings/string_piece.h"
+#include "crypto/ec_private_key.h"
+#include "net/base/net_errors.h"
+#include "net/base/net_export.h"
+
+namespace net {
+
+// Given a vector of serialized TokenBinding structs (as defined in
+// draft-ietf-tokbind-protocol-02), this function combines them to form the
+// serialized TokenBindingMessage struct in |*out|. This function returns a net
+// error.
+//
+// struct {
+//     TokenBinding tokenbindings<0..2^16-1>;
+// } TokenBindingMessage;
+Error BuildTokenBindingMessageFromTokenBindings(
+    const std::vector<base::StringPiece>& token_bindings,
+    std::string* out);
+
+// Builds a TokenBinding struct with a provided TokenBindingID created from
+// |*key| and a signature of |ekm| using |*key| to sign.
+//
+// enum {
+//     rsa2048_pkcs1.5(0), rsa2048_pss(1), ecdsap256(2), (255)
+// } TokenBindingKeyParameters;
+//
+// struct {
+//     opaque modulus<1..2^16-1>;
+//     opaque publicexponent<1..2^8-1>;
+// } RSAPublicKey;
+//
+// struct {
+//     opaque point <1..2^8-1>;
+// } ECPoint;
+//
+// enum {
+//     provided_token_binding(0), referred_token_binding(1), (255)
+// } TokenBindingType;
+//
+// struct {
+//     TokenBindingType tokenbinding_type;
+//     TokenBindingKeyParameters key_parameters;
+//     select (key_parameters) {
+//         case rsa2048_pkcs1.5:
+//         case rsa2048_pss:
+//             RSAPublicKey rsapubkey;
+//         case ecdsap256:
+//             ECPoint point;
+//     }
+// } TokenBindingID;
+//
+// struct {
+//     TokenBindingID tokenbindingid;
+//     opaque signature<0..2^16-1>;// Signature over the exported keying
+//                                 // material value
+//     Extension extensions<0..2^16-1>;
+// } TokenBinding;
+Error BuildProvidedTokenBinding(crypto::ECPrivateKey* key,
+                                const std::vector<uint8_t>& ekm,
+                                std::string* out);
+
+// Given a TokenBindingMessage, parses the first TokenBinding from it,
+// extracts the ECPoint of the TokenBindingID into |*ec_point|, and extracts the
+// signature of the EKM value into |*signature|. It also verifies that the first
+// TokenBinding is a provided Token Binding, and that the key parameters is
+// ecdsap256. This function returns whether the message was able to be parsed
+// successfully.
+NET_EXPORT_PRIVATE bool ParseTokenBindingMessage(
+    base::StringPiece token_binding_message,
+    base::StringPiece* ec_point,
+    base::StringPiece* signature);
+
+// Takes an ECPoint |ec_point| from a TokenBindingID and |signature| from a
+// TokenBinding and verifies that |signature| is the signature of |ekm| using
+// |ec_point| as the public key. Returns true if the signature verifies and
+// false if it doesn't or some other error occurs in verification. This function
+// is only provided for testing.
+NET_EXPORT_PRIVATE bool VerifyEKMSignature(base::StringPiece ec_point,
+                                           base::StringPiece signature,
+                                           base::StringPiece ekm);
+
+}  // namespace net
+
+#endif  // NET_SSL_TOKEN_BINDING_H_