Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(166)

Issues Search
    My Issues | Starred     Open | Closed | All

Side by Side Diff: net/cert/ct_log_verifier.h

Issue 2108833005: Adds domain names for all qualified CT logs (Closed) Base URL: https://chromium.googlesource.com/chromium/src.git@master
Patch Set: Slightly more documentation about DNS endpoints for logs Created 4 years, 5 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View unified diff | Download patch
« no previous file with comments | « net/cert/ct_known_logs_static-inc.h ('k') | net/cert/ct_log_verifier.cc » ('j') | no next file with comments »
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
OLDNEW
1 // Copyright 2013 The Chromium Authors. All rights reserved. 1 // Copyright 2013 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be 2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file. 3 // found in the LICENSE file.
4 4
5 #ifndef NET_CERT_CT_LOG_VERIFIER_H_ 5 #ifndef NET_CERT_CT_LOG_VERIFIER_H_
6 #define NET_CERT_CT_LOG_VERIFIER_H_ 6 #define NET_CERT_CT_LOG_VERIFIER_H_
7 7
8 #include <string> 8 #include <string>
9 9
10 #include "base/gtest_prod_util.h" 10 #include "base/gtest_prod_util.h"
(...skipping 22 matching lines...) Expand all
33 // Tree Head (STH) signatures. 33 // Tree Head (STH) signatures.
34 // Immutable: Does not hold any state beyond the log information it was 34 // Immutable: Does not hold any state beyond the log information it was
35 // initialized with. 35 // initialized with.
36 class NET_EXPORT CTLogVerifier 36 class NET_EXPORT CTLogVerifier
37 : public base::RefCountedThreadSafe<CTLogVerifier> { 37 : public base::RefCountedThreadSafe<CTLogVerifier> {
38 public: 38 public:
39 // Creates a new CTLogVerifier that will verify SignedCertificateTimestamps 39 // Creates a new CTLogVerifier that will verify SignedCertificateTimestamps
40 // using |public_key|, which is a DER-encoded SubjectPublicKeyInfo. 40 // using |public_key|, which is a DER-encoded SubjectPublicKeyInfo.
41 // If |public_key| refers to an unsupported public key, returns NULL. 41 // If |public_key| refers to an unsupported public key, returns NULL.
42 // |description| is a textual description of the log. 42 // |description| is a textual description of the log.
43 // |url| is the URL of the log's HTTPS API endpoint.
44 // |dns_domain| is the DNS name of the log's DNS API endpoint, if one exists.
43 static scoped_refptr<const CTLogVerifier> Create( 45 static scoped_refptr<const CTLogVerifier> Create(
44 const base::StringPiece& public_key, 46 const base::StringPiece& public_key,
45 const base::StringPiece& description, 47 const base::StringPiece& description,
46 const base::StringPiece& url); 48 const base::StringPiece& url,
49 const base::StringPiece& dns_domain);
47 50
48 // Returns the log's key ID (RFC6962, Section 3.2) 51 // Returns the log's key ID (RFC6962, Section 3.2)
49 const std::string& key_id() const { return key_id_; } 52 const std::string& key_id() const { return key_id_; }
50 // Returns the log's human-readable description. 53 // Returns the log's human-readable description.
51 const std::string& description() const { return description_; } 54 const std::string& description() const { return description_; }
52 // Returns the log's URL 55 // Returns the log's URL
53 const GURL& url() const { return url_; } 56 const GURL& url() const { return url_; }
54 57
58 // Returns the log's DNS domain for CT over DNS queries, as described in
59 // https://github.com/google/certificate-transparency-rfcs/blob/master/dns/dra ft-ct-over-dns.md.
60 // This will be empty if the log has no DNS API endpoint.
61 const std::string& dns_domain() const { return dns_domain_; }
62
55 // Verifies that |sct| is valid for |entry| and was signed by this log. 63 // Verifies that |sct| is valid for |entry| and was signed by this log.
56 bool Verify(const ct::LogEntry& entry, 64 bool Verify(const ct::LogEntry& entry,
57 const ct::SignedCertificateTimestamp& sct) const; 65 const ct::SignedCertificateTimestamp& sct) const;
58 66
59 // Verifies that |signed_tree_head| is a valid Signed Tree Head (RFC 6962, 67 // Verifies that |signed_tree_head| is a valid Signed Tree Head (RFC 6962,
60 // Section 3.5) for this log. 68 // Section 3.5) for this log.
61 bool VerifySignedTreeHead(const ct::SignedTreeHead& signed_tree_head) const; 69 bool VerifySignedTreeHead(const ct::SignedTreeHead& signed_tree_head) const;
62 70
63 // Verifies that |proof| is a valid consistency proof (RFC 6962, Section 71 // Verifies that |proof| is a valid consistency proof (RFC 6962, Section
64 // 2.1.2) for this log, and which proves that |old_tree_hash| has 72 // 2.1.2) for this log, and which proves that |old_tree_hash| has
65 // been fully incorporated into the Merkle tree represented by 73 // been fully incorporated into the Merkle tree represented by
66 // |new_tree_hash|. 74 // |new_tree_hash|.
67 bool VerifyConsistencyProof(const ct::MerkleConsistencyProof& proof, 75 bool VerifyConsistencyProof(const ct::MerkleConsistencyProof& proof,
68 const std::string& old_tree_hash, 76 const std::string& old_tree_hash,
69 const std::string& new_tree_hash) const; 77 const std::string& new_tree_hash) const;
70 78
71 private: 79 private:
72 FRIEND_TEST_ALL_PREFIXES(CTLogVerifierTest, VerifySignature); 80 FRIEND_TEST_ALL_PREFIXES(CTLogVerifierTest, VerifySignature);
73 friend class base::RefCountedThreadSafe<CTLogVerifier>; 81 friend class base::RefCountedThreadSafe<CTLogVerifier>;
74 82
75 CTLogVerifier(const base::StringPiece& description, const GURL& url); 83 CTLogVerifier(const base::StringPiece& description,
84 const GURL& url,
85 const base::StringPiece& dns_domain);
76 ~CTLogVerifier(); 86 ~CTLogVerifier();
77 87
78 // Performs crypto-library specific initialization. 88 // Performs crypto-library specific initialization.
79 bool Init(const base::StringPiece& public_key); 89 bool Init(const base::StringPiece& public_key);
80 90
81 // Performs the underlying verification using the selected public key. Note 91 // Performs the underlying verification using the selected public key. Note
82 // that |signature| contains the raw signature data (eg: without any 92 // that |signature| contains the raw signature data (eg: without any
83 // DigitallySigned struct encoding). 93 // DigitallySigned struct encoding).
84 bool VerifySignature(const base::StringPiece& data_to_sign, 94 bool VerifySignature(const base::StringPiece& data_to_sign,
85 const base::StringPiece& signature) const; 95 const base::StringPiece& signature) const;
86 96
87 // Returns true if the signature and hash algorithms in |signature| 97 // Returns true if the signature and hash algorithms in |signature|
88 // match those of the log 98 // match those of the log
89 bool SignatureParametersMatch(const ct::DigitallySigned& signature) const; 99 bool SignatureParametersMatch(const ct::DigitallySigned& signature) const;
90 100
91 std::string key_id_; 101 std::string key_id_;
92 std::string description_; 102 std::string description_;
93 GURL url_; 103 GURL url_;
104 std::string dns_domain_;
94 ct::DigitallySigned::HashAlgorithm hash_algorithm_; 105 ct::DigitallySigned::HashAlgorithm hash_algorithm_;
95 ct::DigitallySigned::SignatureAlgorithm signature_algorithm_; 106 ct::DigitallySigned::SignatureAlgorithm signature_algorithm_;
96 107
97 EVP_PKEY* public_key_; 108 EVP_PKEY* public_key_;
98 }; 109 };
99 110
100 } // namespace net 111 } // namespace net
101 112
102 #endif // NET_CERT_CT_LOG_VERIFIER_H_ 113 #endif // NET_CERT_CT_LOG_VERIFIER_H_
OLDNEW
« no previous file with comments | « net/cert/ct_known_logs_static-inc.h ('k') | net/cert/ct_log_verifier.cc » ('j') | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698