OLD | NEW |
---|---|
1 // Copyright 2015 The Chromium Authors. All rights reserved. | 1 // Copyright 2015 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 #ifndef NET_SSL_TOKEN_BINDING_H_ | 5 #ifndef NET_SSL_TOKEN_BINDING_H_ |
6 #define NET_SSL_TOKEN_BINDING_H_ | 6 #define NET_SSL_TOKEN_BINDING_H_ |
7 | 7 |
8 #include <string> | 8 #include <string> |
9 #include <vector> | 9 #include <vector> |
10 | 10 |
11 #include "base/strings/string_piece.h" | 11 #include "base/strings/string_piece.h" |
12 #include "crypto/ec_private_key.h" | 12 #include "crypto/ec_private_key.h" |
13 #include "net/base/net_errors.h" | 13 #include "net/base/net_errors.h" |
14 #include "net/base/net_export.h" | 14 #include "net/base/net_export.h" |
15 | 15 |
16 namespace net { | 16 namespace net { |
17 | 17 |
18 enum TokenBindingType { | |
19 TB_TYPE_PROVIDED = 0, | |
20 TB_TYPE_REFERRED = 1, | |
21 }; | |
22 | |
18 // Returns whether Token Binding is supported on this platform. If this function | 23 // Returns whether Token Binding is supported on this platform. If this function |
19 // returns false, Token Binding must not be negotiated. | 24 // returns false, Token Binding must not be negotiated. |
20 bool IsTokenBindingSupported(); | 25 bool IsTokenBindingSupported(); |
21 | 26 |
22 // Takes an exported keying material value |ekm| from the TLS layer and a token | 27 // Takes an exported keying material value |ekm| from the TLS layer and a token |
23 // binding key |key| and signs the EKM, putting the signature in |*out|. Returns | 28 // binding key |key| and signs the EKM, putting the signature in |*out|. Returns |
24 // true on success or false if there's an error in the signing operations. | 29 // true on success or false if there's an error in the signing operations. |
25 bool SignTokenBindingEkm(base::StringPiece ekm, | 30 bool SignTokenBindingEkm(base::StringPiece ekm, |
26 crypto::ECPrivateKey* key, | 31 crypto::ECPrivateKey* key, |
27 std::vector<uint8_t>* out); | 32 std::vector<uint8_t>* out); |
28 | 33 |
29 // Given a vector of serialized TokenBinding structs (as defined in | 34 // Given a vector of serialized TokenBinding structs (as defined in |
30 // draft-ietf-tokbind-protocol-04), this function combines them to form the | 35 // draft-ietf-tokbind-protocol-04), this function combines them to form the |
31 // serialized TokenBindingMessage struct in |*out|. This function returns a net | 36 // serialized TokenBindingMessage struct in |*out|. This function returns a net |
32 // error. | 37 // error. |
33 // | 38 // |
34 // struct { | 39 // struct { |
35 // TokenBinding tokenbindings<0..2^16-1>; | 40 // TokenBinding tokenbindings<0..2^16-1>; |
36 // } TokenBindingMessage; | 41 // } TokenBindingMessage; |
37 Error BuildTokenBindingMessageFromTokenBindings( | 42 Error BuildTokenBindingMessageFromTokenBindings( |
38 const std::vector<base::StringPiece>& token_bindings, | 43 const std::vector<base::StringPiece>& token_bindings, |
39 std::string* out); | 44 std::string* out); |
40 | 45 |
41 // Builds a TokenBinding struct with a provided TokenBindingID created from | 46 // Builds a TokenBinding struct of type |type| with a TokenBindingID created |
42 // |*key| and a signature of |ekm| using |*key| to sign. | 47 // from |*key| and a signature of |ekm| using |*key| to sign. |
43 // | 48 // |
44 // enum { | 49 // enum { |
45 // rsa2048_pkcs1.5(0), rsa2048_pss(1), ecdsap256(2), (255) | 50 // rsa2048_pkcs1.5(0), rsa2048_pss(1), ecdsap256(2), (255) |
46 // } TokenBindingKeyParameters; | 51 // } TokenBindingKeyParameters; |
47 // | 52 // |
48 // struct { | 53 // struct { |
49 // opaque modulus<1..2^16-1>; | 54 // opaque modulus<1..2^16-1>; |
50 // opaque publicexponent<1..2^8-1>; | 55 // opaque publicexponent<1..2^8-1>; |
51 // } RSAPublicKey; | 56 // } RSAPublicKey; |
52 // | 57 // |
(...skipping 13 matching lines...) Expand all Loading... | |
66 // case rsa2048_pss: | 71 // case rsa2048_pss: |
67 // RSAPublicKey rsapubkey; | 72 // RSAPublicKey rsapubkey; |
68 // case ecdsap256: | 73 // case ecdsap256: |
69 // ECPoint point; | 74 // ECPoint point; |
70 // } | 75 // } |
71 // } TokenBindingID; | 76 // } TokenBindingID; |
72 // | 77 // |
73 // struct { | 78 // struct { |
74 // TokenBindingID tokenbindingid; | 79 // TokenBindingID tokenbindingid; |
75 // opaque signature<0..2^16-1>;// Signature over the exported keying | 80 // opaque signature<0..2^16-1>;// Signature over the exported keying |
76 // // material value | 81 // // material value |
davidben
2016/03/15 22:49:56
(I'm still kinda confused about the signature not
| |
77 // Extension extensions<0..2^16-1>; | 82 // Extension extensions<0..2^16-1>; |
78 // } TokenBinding; | 83 // } TokenBinding; |
79 Error BuildProvidedTokenBinding(crypto::ECPrivateKey* key, | 84 Error BuildTokenBinding(TokenBindingType type, |
80 const std::vector<uint8_t>& ekm, | 85 crypto::ECPrivateKey* key, |
81 std::string* out); | 86 const std::vector<uint8_t>& ekm, |
87 std::string* out); | |
82 | 88 |
83 // Given a TokenBindingMessage, parses the first TokenBinding from it, | 89 // Represents a parsed TokenBinding from a TokenBindingMessage. |
84 // extracts the ECPoint of the TokenBindingID into |*ec_point|, and extracts the | 90 struct TokenBinding { |
85 // signature of the EKM value into |*signature|. It also verifies that the first | 91 TokenBinding(); |
davidben
2016/03/15 22:49:56
Does this actually need to be initialized out-of-l
nharper
2016/03/16 17:49:22
If I change it to "TokenBinding() {}", I get "erro
davidben
2016/03/24 20:53:51
Acknowledged.
| |
86 // TokenBinding is a provided Token Binding, and that the key parameters is | 92 |
87 // ecdsap256. This function returns whether the message was able to be parsed | 93 TokenBindingType type; |
88 // successfully. | 94 base::StringPiece ec_point; |
95 base::StringPiece signature; | |
96 }; | |
97 | |
98 // Given a TokenBindingMessage, parses the TokenBinding structs from it, putting | |
99 // them into |*token_bindings|. If there is an error parsing the | |
100 // TokenBindingMessage or the key parameter for any TokenBinding in the | |
101 // TokenBindingMessage is not ecdsap25, then this function returns false. | |
89 NET_EXPORT_PRIVATE bool ParseTokenBindingMessage( | 102 NET_EXPORT_PRIVATE bool ParseTokenBindingMessage( |
90 base::StringPiece token_binding_message, | 103 base::StringPiece token_binding_message, |
91 base::StringPiece* ec_point, | 104 std::vector<TokenBinding>* token_bindings); |
92 base::StringPiece* signature); | |
93 | 105 |
94 // Takes an ECPoint |ec_point| from a TokenBindingID and |signature| from a | 106 // Takes an ECPoint |ec_point| from a TokenBindingID and |signature| from a |
95 // TokenBinding and verifies that |signature| is the signature of |ekm| using | 107 // TokenBinding and verifies that |signature| is the signature of |ekm| using |
96 // |ec_point| as the public key. Returns true if the signature verifies and | 108 // |ec_point| as the public key. Returns true if the signature verifies and |
97 // false if it doesn't or some other error occurs in verification. This function | 109 // false if it doesn't or some other error occurs in verification. This function |
98 // is only provided for testing. | 110 // is only provided for testing. |
99 NET_EXPORT_PRIVATE bool VerifyEKMSignature(base::StringPiece ec_point, | 111 NET_EXPORT_PRIVATE bool VerifyEKMSignature(base::StringPiece ec_point, |
100 base::StringPiece signature, | 112 base::StringPiece signature, |
101 base::StringPiece ekm); | 113 base::StringPiece ekm); |
102 | 114 |
103 } // namespace net | 115 } // namespace net |
104 | 116 |
105 #endif // NET_SSL_TOKEN_BINDING_H_ | 117 #endif // NET_SSL_TOKEN_BINDING_H_ |
OLD | NEW |