Chromium Code Reviews Chromium Code Reviews
Issue 230713002:
Certificate Transparency: Parse Signed Tree Heads and validate them (Closed)
Base URL: https://chromium.googlesource.com/chromium/src.git@master| OLD | NEW |
|---|---|
| (Empty) | |
| 1 // Copyright 2014 The Chromium Authors. All rights reserved. | |
| 2 // Use of this source code is governed by a BSD-style license that can be | |
| 3 // found in the LICENSE file. | |
| 4 | |
| 5 #include "net/cert/ct_log_response_parser.h" | |
| 6 | |
| 7 #include "base/base64.h" | |
| 8 #include "base/json/json_reader.h" | |
| 9 #include "base/logging.h" | |
| 10 #include "base/time/time.h" | |
| 11 #include "base/values.h" | |
| 12 #include "net/cert/ct_serialization.h" | |
| 13 #include "net/cert/signed_tree_head.h" | |
| 14 | |
| 15 namespace net { | |
| 16 | |
| 17 namespace ct { | |
| 18 | |
| 19 bool CTLogResponseParser::FillSignedTreeHead(const base::StringPiece& json_sth, | |
| 20 SignedTreeHead* sth) { | |
| 21 base::JSONReader json_reader; | |
| 22 base::Value* json = json_reader.Read(json_sth); | |
|
Ryan Sleevi
2014/04/09 18:23:11
Have you looked at base/json/json_value_converter.
Eran Messeri
2014/04/10 21:08:29
It does make life easier - used than instead, than
| |
| 23 if (json == NULL) { | |
| 24 DVLOG(1) << "Empty Signed Tree Head JSON."; | |
| 25 return false; | |
| 26 } | |
| 27 | |
| 28 const base::DictionaryValue* json_dict; | |
| 29 if (!json->GetAsDictionary(&json_dict)) { | |
| 30 DVLOG(1) << "Json STH is not a dictionary."; | |
| 31 return false; | |
| 32 } | |
| 33 | |
| 34 int tree_size; | |
| 35 if (!json_dict->GetInteger("tree_size", &tree_size)) { | |
| 36 DVLOG(1) << "Missing tree_size in Json STH"; | |
| 37 return false; | |
| 38 } | |
| 39 | |
| 40 double timestamp; | |
| 41 if (!json_dict->GetDouble("timestamp", ×tamp)) { | |
| 42 DVLOG(1) << "Missing timestamp in Json STH"; | |
| 43 return false; | |
| 44 } | |
| 45 | |
| 46 std::string sha256_root_hash; | |
| 47 if (!json_dict->GetString("sha256_root_hash", &sha256_root_hash)) { | |
| 48 DVLOG(1) << "Missing sha256_root_hash in Json STH"; | |
| 49 return false; | |
| 50 } | |
| 51 | |
| 52 std::string tree_head_signature; | |
| 53 if (!json_dict->GetString("tree_head_signature", &tree_head_signature)) { | |
| 54 DVLOG(1) << "Missing tree_head_signature in Json STH"; | |
| 55 return false; | |
| 56 } | |
| 57 | |
| 58 std::string decoded_root_hash; | |
| 59 if (!base::Base64Decode(sha256_root_hash, &decoded_root_hash)) { | |
| 60 DVLOG(1) << "Failed decoding sha256_root_hash"; | |
| 61 return false; | |
| 62 } | |
| 63 | |
| 64 if (decoded_root_hash.length() != kSthRootHashLength) { | |
| 65 DVLOG(1) << "sha256_root_hash is expected to be 32 bytes, but is " | |
| 66 << decoded_root_hash.length() << " bytes."; | |
| 67 return false; | |
| 68 } | |
| 69 | |
| 70 std::string decoded_signature; | |
| 71 if (!base::Base64Decode(tree_head_signature, &decoded_signature)) { | |
| 72 DVLOG(1) << "Failed decoding tree_head_signature"; | |
| 73 return false; | |
| 74 } | |
| 75 | |
| 76 // It's OK to decode the signature directly into the output as this is the | |
| 77 // last check before filling in all other fields. | |
| 78 // If decoding of the DigitallySigned part fails, the STH will not contain | |
| 79 // partial data. If it passes, all other fields will be filled as well. | |
| 80 base::StringPiece sp(decoded_signature); | |
| 81 if (!DecodeDigitallySigned(&sp, &(sth->signature))) { | |
| 82 DVLOG(1) << "Failed decoding signature to DigitallySigned"; | |
| 83 return false; | |
| 84 } | |
| 85 | |
| 86 sth->version = SignedTreeHead::V1; | |
| 87 sth->tree_size = tree_size; | |
| 88 sth->timestamp = | |
| 89 base::Time::UnixEpoch() + base::TimeDelta::FromMilliseconds(timestamp); | |
| 90 memcpy(sth->sha256_root_hash, decoded_root_hash.c_str(), kSthRootHashLength); | |
| 91 return true; | |
| 92 } | |
| 93 | |
| 94 } // namespace ct | |
| 95 | |
| 96 } // namespace net | |
| OLD | NEW |
