Add Certificate Transparency logs auditing

net/cert/merkle_tree_leaf.h

 // Copyright 2016 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #ifndef NET_CERT_MERKLE_TREE_LEAF_H_
 #define NET_CERT_MERKLE_TREE_LEAF_H_
 
 #include <memory>
 #include <string>
 
 #include "base/time/time.h"
 #include "net/base/net_export.h"
 #include "net/cert/signed_certificate_timestamp.h"
 
 namespace net {
 
 class X509Certificate;
 
 namespace ct {
 
 // Represents a MerkleTreeLeaf as defined in RFC6962, section 3.4.

[Ryan Sleevi, 2016/06/30 22:48:19]

Unfortunately, finding an explanation about how this relates to the overall
narrative is quite difficult. The documentation could have been improved here.

[Eran Messeri, 2016/07/01 13:24:01]

Expanded the documentation (in another CL) to indicate what's the purpose of
this  struct.

 // Has all the data as the MerkleTreeLeaf defined in the RFC, arranged
 // slightly differently.

[Ryan Sleevi, 2016/06/30 22:48:19]

Does RFC 6962-bis do something differently? It's unclear why we need this
structure.

[Ryan Sleevi, 2016/06/30 22:48:19]

Why is it arranged differently?

[Eran Messeri, 2016/07/01 13:24:01]

Yes, 6962-bis does (see details in the other comment). I think we'll have to
carefully inspect all CT-related data structures when we come to implement
6962-bis, as serialization is different and not all fields have the same meaning
or structure.

[Eran Messeri, 2016/07/01 13:24:01]

Explained (in another CL).

 struct NET_EXPORT MerkleTreeLeaf {
   MerkleTreeLeaf();
+  MerkleTreeLeaf(const MerkleTreeLeaf& other);
+  MerkleTreeLeaf(MerkleTreeLeaf&&);
   ~MerkleTreeLeaf();
 
   // The log id this leaf belongs to.
   std::string log_id;
 
   // Certificate / Precertificate and indication of entry type.
   LogEntry log_entry;
 
   // Timestamp from the SCT.
   base::Time timestamp;
 
   // Extensions from the SCT.
   std::string extensions;
 };
 
 NET_EXPORT bool GetMerkleTreeLeaf(const X509Certificate* cert,

[Ryan Sleevi, 2016/06/30 22:48:19]

Should have been documented.

[Eran Messeri, 2016/07/01 13:24:01]

Done (in a separate CL).

                                   const SignedCertificateTimestamp* sct,
                                   MerkleTreeLeaf* merkle_tree_leaf);
 
 // Sets |*out| to the hash of the Merkle |tree_leaf|, as defined in RFC6962.
 // Returns true if the hash was generated, false if an error occurred.

[Ryan Sleevi, 2016/06/30 22:48:19]

Same here - does 6962-bis change this?

Naming wise, this should have been named something better HashMerkleTreeLeaf or
something;

reading net::ct::Hash(...) doesn't really give much insight.

[Eran Messeri, 2016/07/01 13:24:01]

(1) Renamed to HashMerkleTreeLeaf (in a separate CL).
(2) Serialization in 6962-bis is different:
 * Data structures are different: in 6962-bis everything is a TransItem,
including the tree leaf
(https://tools.ietf.org/html/draft-ietf-trans-rfc6962-bis-16#section-5.4), so
the hash is over a structure serialized in a different way.
(2) The LogEntry from 6962 is incompatible with the equivalent in 6962-bis,
because in 6962 the hash is over the entire X.509 certificate (if the entry is
*not* a precertificate) or over the TBSCertificate + issuer key hash (if the
entry *is* a precertificate). In 6962-bis the hash is always over the
tbscertificate + issuer key hash.

My suggestion is to reason about reconciling these structures with 6962-bis
implementation once 6962-bis is finalized.

 NET_EXPORT bool Hash(const MerkleTreeLeaf& tree_leaf, std::string* out);
 
 }  // namespace ct
 
 }  // namespace net
 
 #endif  // NET_CERT_MERKLE_TREE_LEAF_H_