Chromium Code Reviews Chromium Code Reviews
Issue 2108833005:
Adds domain names for all qualified CT logs (Closed)
Base URL: https://chromium.googlesource.com/chromium/src.git@master| OLD | NEW |
|---|---|
| 1 // Copyright 2013 The Chromium Authors. All rights reserved. | 1 // Copyright 2013 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #ifndef NET_CERT_CT_LOG_VERIFIER_H_ | 5 #ifndef NET_CERT_CT_LOG_VERIFIER_H_ |
| 6 #define NET_CERT_CT_LOG_VERIFIER_H_ | 6 #define NET_CERT_CT_LOG_VERIFIER_H_ |
| 7 | 7 |
| 8 #include <string> | 8 #include <string> |
| 9 | 9 |
| 10 #include "base/gtest_prod_util.h" | 10 #include "base/gtest_prod_util.h" |
| (...skipping 22 matching lines...) Expand all Loading... | |
| 33 // Tree Head (STH) signatures. | 33 // Tree Head (STH) signatures. |
| 34 // Immutable: Does not hold any state beyond the log information it was | 34 // Immutable: Does not hold any state beyond the log information it was |
| 35 // initialized with. | 35 // initialized with. |
| 36 class NET_EXPORT CTLogVerifier | 36 class NET_EXPORT CTLogVerifier |
| 37 : public base::RefCountedThreadSafe<CTLogVerifier> { | 37 : public base::RefCountedThreadSafe<CTLogVerifier> { |
| 38 public: | 38 public: |
| 39 // Creates a new CTLogVerifier that will verify SignedCertificateTimestamps | 39 // Creates a new CTLogVerifier that will verify SignedCertificateTimestamps |
| 40 // using |public_key|, which is a DER-encoded SubjectPublicKeyInfo. | 40 // using |public_key|, which is a DER-encoded SubjectPublicKeyInfo. |
| 41 // If |public_key| refers to an unsupported public key, returns NULL. | 41 // If |public_key| refers to an unsupported public key, returns NULL. |
| 42 // |description| is a textual description of the log. | 42 // |description| is a textual description of the log. |
| 43 // |url| is the URL of the log's HTTPS API endpoint. | |
| 44 // |domain| is the DNS name of the log's DNS API endpoint, if one exists. | |
|
Eran Messeri
2016/06/30 20:02:51
rename |domain| to |dns_domain| throughout so it'
Rob Percival
2016/07/08 09:45:42
Done.
| |
| 43 static scoped_refptr<const CTLogVerifier> Create( | 45 static scoped_refptr<const CTLogVerifier> Create( |
| 44 const base::StringPiece& public_key, | 46 const base::StringPiece& public_key, |
| 45 const base::StringPiece& description, | 47 const base::StringPiece& description, |
| 46 const base::StringPiece& url); | 48 const base::StringPiece& url, |
| 49 const base::StringPiece& domain = nullptr); | |
| 47 | 50 |
| 48 // Returns the log's key ID (RFC6962, Section 3.2) | 51 // Returns the log's key ID (RFC6962, Section 3.2) |
| 49 const std::string& key_id() const { return key_id_; } | 52 const std::string& key_id() const { return key_id_; } |
| 50 // Returns the log's human-readable description. | 53 // Returns the log's human-readable description. |
| 51 const std::string& description() const { return description_; } | 54 const std::string& description() const { return description_; } |
| 52 // Returns the log's URL | 55 // Returns the log's URL |
| 53 const GURL& url() const { return url_; } | 56 const GURL& url() const { return url_; } |
| 54 | 57 |
| 58 // Returns the log's domain (for CT over DNS queries). | |
|
Eran Messeri
2016/06/30 20:02:51
Nit: Link to the CT-over-DNS protocol documentatio
Rob Percival
2016/07/08 09:45:42
Done.
| |
| 59 // This will be empty if the log has no DNS API endpoint. | |
| 60 const std::string& domain() const { return domain_; } | |
| 61 | |
| 55 // Verifies that |sct| is valid for |entry| and was signed by this log. | 62 // Verifies that |sct| is valid for |entry| and was signed by this log. |
| 56 bool Verify(const ct::LogEntry& entry, | 63 bool Verify(const ct::LogEntry& entry, |
| 57 const ct::SignedCertificateTimestamp& sct) const; | 64 const ct::SignedCertificateTimestamp& sct) const; |
| 58 | 65 |
| 59 // Verifies that |signed_tree_head| is a valid Signed Tree Head (RFC 6962, | 66 // Verifies that |signed_tree_head| is a valid Signed Tree Head (RFC 6962, |
| 60 // Section 3.5) for this log. | 67 // Section 3.5) for this log. |
| 61 bool VerifySignedTreeHead(const ct::SignedTreeHead& signed_tree_head) const; | 68 bool VerifySignedTreeHead(const ct::SignedTreeHead& signed_tree_head) const; |
| 62 | 69 |
| 63 // Verifies that |proof| is a valid consistency proof (RFC 6962, Section | 70 // Verifies that |proof| is a valid consistency proof (RFC 6962, Section |
| 64 // 2.1.2) for this log, and which proves that |old_tree_hash| has | 71 // 2.1.2) for this log, and which proves that |old_tree_hash| has |
| 65 // been fully incorporated into the Merkle tree represented by | 72 // been fully incorporated into the Merkle tree represented by |
| 66 // |new_tree_hash|. | 73 // |new_tree_hash|. |
| 67 bool VerifyConsistencyProof(const ct::MerkleConsistencyProof& proof, | 74 bool VerifyConsistencyProof(const ct::MerkleConsistencyProof& proof, |
| 68 const std::string& old_tree_hash, | 75 const std::string& old_tree_hash, |
| 69 const std::string& new_tree_hash) const; | 76 const std::string& new_tree_hash) const; |
| 70 | 77 |
| 71 private: | 78 private: |
| 72 FRIEND_TEST_ALL_PREFIXES(CTLogVerifierTest, VerifySignature); | 79 FRIEND_TEST_ALL_PREFIXES(CTLogVerifierTest, VerifySignature); |
| 73 friend class base::RefCountedThreadSafe<CTLogVerifier>; | 80 friend class base::RefCountedThreadSafe<CTLogVerifier>; |
| 74 | 81 |
| 75 CTLogVerifier(const base::StringPiece& description, const GURL& url); | 82 CTLogVerifier(const base::StringPiece& description, |
| 83 const GURL& url, | |
| 84 const base::StringPiece& domain); | |
| 76 ~CTLogVerifier(); | 85 ~CTLogVerifier(); |
| 77 | 86 |
| 78 // Performs crypto-library specific initialization. | 87 // Performs crypto-library specific initialization. |
| 79 bool Init(const base::StringPiece& public_key); | 88 bool Init(const base::StringPiece& public_key); |
| 80 | 89 |
| 81 // Performs the underlying verification using the selected public key. Note | 90 // Performs the underlying verification using the selected public key. Note |
| 82 // that |signature| contains the raw signature data (eg: without any | 91 // that |signature| contains the raw signature data (eg: without any |
| 83 // DigitallySigned struct encoding). | 92 // DigitallySigned struct encoding). |
| 84 bool VerifySignature(const base::StringPiece& data_to_sign, | 93 bool VerifySignature(const base::StringPiece& data_to_sign, |
| 85 const base::StringPiece& signature) const; | 94 const base::StringPiece& signature) const; |
| 86 | 95 |
| 87 // Returns true if the signature and hash algorithms in |signature| | 96 // Returns true if the signature and hash algorithms in |signature| |
| 88 // match those of the log | 97 // match those of the log |
| 89 bool SignatureParametersMatch(const ct::DigitallySigned& signature) const; | 98 bool SignatureParametersMatch(const ct::DigitallySigned& signature) const; |
| 90 | 99 |
| 91 std::string key_id_; | 100 std::string key_id_; |
| 92 std::string description_; | 101 std::string description_; |
| 93 GURL url_; | 102 GURL url_; |
| 103 std::string domain_; | |
|
Eran Messeri
2016/06/30 20:02:51
As mentioned above, dns_domain_.
Rob Percival
2016/07/08 09:45:42
Done.
| |
| 94 ct::DigitallySigned::HashAlgorithm hash_algorithm_; | 104 ct::DigitallySigned::HashAlgorithm hash_algorithm_; |
| 95 ct::DigitallySigned::SignatureAlgorithm signature_algorithm_; | 105 ct::DigitallySigned::SignatureAlgorithm signature_algorithm_; |
| 96 | 106 |
| 97 EVP_PKEY* public_key_; | 107 EVP_PKEY* public_key_; |
| 98 }; | 108 }; |
| 99 | 109 |
| 100 } // namespace net | 110 } // namespace net |
| 101 | 111 |
| 102 #endif // NET_CERT_CT_LOG_VERIFIER_H_ | 112 #endif // NET_CERT_CT_LOG_VERIFIER_H_ |
| OLD | NEW |
