Certificate Transparency: Parse Signed Tree Heads and validate them

net/cert/ct_serialization.cc

 // Copyright 2013 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "net/cert/ct_serialization.h"
 
 #include "base/basictypes.h"
 #include "base/logging.h"
 
 namespace net {
@@ skipping 16 matching lines @@
 
 // Members of the digitally-signed struct of a V1 SCT
 const size_t kSignatureTypeLength = 1;
 const size_t kLogEntryTypeLength = 2;
 const size_t kAsn1CertificateLengthBytes = 3;
 const size_t kTbsCertificateLengthBytes = 3;
 
 const size_t kSCTListLengthBytes = 2;
 const size_t kSerializedSCTLengthBytes = 2;
 
+// Members of digitally-signed struct of a STH
+const size_t kTreeSizeLength = 8;
+
 enum SignatureType {
   SIGNATURE_TYPE_CERTIFICATE_TIMESTAMP = 0,
   TREE_HASH = 1,
 };
 
 // Reads a TLS-encoded variable length unsigned integer from |in|.
 // The integer is expected to be in big-endian order, which is used by TLS.
 // The bytes read from |in| are discarded (i.e. |in|'s prefix removed)
 // |length| indicates the size (in bytes) of the integer. On success, returns
 // true and stores the result in |*out|.
@@ skipping 231 matching lines @@
   WriteUint(kLogEntryTypeLength, input.type, output);
   switch (input.type) {
     case LogEntry::LOG_ENTRY_TYPE_X509:
       return EncodeAsn1CertLogEntry(input, output);
     case LogEntry::LOG_ENTRY_TYPE_PRECERT:
       return EncodePrecertLogEntry(input, output);
   }
   return false;
 }
 
+static void WriteTimeSinceEpoch(const base::Time& timestamp,
+                                std::string* output) {
+  base::TimeDelta time_since_epoch = timestamp - base::Time::UnixEpoch();
+  WriteUint(kTimestampLength, time_since_epoch.InMilliseconds(), output);
+}
+
 bool EncodeV1SCTSignedData(const base::Time& timestamp,
                            const std::string& serialized_log_entry,
                            const std::string& extensions,
                            std::string* output) {
   WriteUint(kVersionLength, SignedCertificateTimestamp::SCT_VERSION_1,
             output);
   WriteUint(kSignatureTypeLength, SIGNATURE_TYPE_CERTIFICATE_TIMESTAMP,
             output);
-  base::TimeDelta time_since_epoch = timestamp - base::Time::UnixEpoch();
-  WriteUint(kTimestampLength, time_since_epoch.InMilliseconds(),
-            output);
+  WriteTimeSinceEpoch(timestamp, output);
   // NOTE: serialized_log_entry must already be serialized and contain the
   // length as the prefix.
   WriteEncodedBytes(serialized_log_entry, output);
   return WriteVariableBytes(kExtensionsLengthBytes, extensions, output);
 }
 
+void EncodeTreeHeadSignature(const SignedTreeHead& sth, std::string* output) {
+  WriteUint(kVersionLength, sth.version, output);
+  WriteUint(kSignatureTypeLength, TREE_HASH, output);
+  WriteTimeSinceEpoch(sth.timestamp, output);
+  WriteUint(kTreeSizeLength, sth.tree_size, output);
+  WriteEncodedBytes(base::StringPiece(sth.sha256_root_hash, kSthRootHashLength),
+                    output);
+}
+
 bool DecodeSCTList(base::StringPiece* input,
                    std::vector<base::StringPiece>* output) {
   std::vector<base::StringPiece> result;
   if (!ReadList(kSCTListLengthBytes, kSerializedSCTLengthBytes,
                 input, &result)) {
     return false;
   }
 
   if (!input->empty() || result.empty())
     return false;
@@ skipping 44 matching lines @@
 bool EncodeSCTListForTesting(const base::StringPiece& sct,
                              std::string* output) {
   std::string encoded_sct;
   return WriteVariableBytes(kSerializedSCTLengthBytes, sct, &encoded_sct) &&
       WriteVariableBytes(kSCTListLengthBytes, encoded_sct, output);
 }
 
 }  // namespace ct
 
 }  // namespace net