Chromium Code Reviews Chromium Code Reviews
Issue 230713002:
Certificate Transparency: Parse Signed Tree Heads and validate them (Closed)
Base URL: https://chromium.googlesource.com/chromium/src.git@master| OLD | NEW |
|---|---|
| 1 // Copyright 2013 The Chromium Authors. All rights reserved. | 1 // Copyright 2013 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "net/cert/ct_log_verifier.h" | 5 #include "net/cert/ct_log_verifier.h" |
| 6 | 6 |
| 7 #include "base/logging.h" | 7 #include "base/logging.h" |
| 8 #include "net/cert/ct_serialization.h" | 8 #include "net/cert/ct_serialization.h" |
| 9 #include "net/cert/signed_tree_head.h" | |
| 9 | 10 |
| 10 namespace net { | 11 namespace net { |
| 11 | 12 |
| 12 // static | 13 // static |
| 13 scoped_ptr<CTLogVerifier> CTLogVerifier::Create( | 14 scoped_ptr<CTLogVerifier> CTLogVerifier::Create( |
| 14 const base::StringPiece& public_key, | 15 const base::StringPiece& public_key, |
| 15 const base::StringPiece& description) { | 16 const base::StringPiece& description) { |
| 16 scoped_ptr<CTLogVerifier> result(new CTLogVerifier()); | 17 scoped_ptr<CTLogVerifier> result(new CTLogVerifier()); |
| 17 if (!result->Init(public_key, description)) | 18 if (!result->Init(public_key, description)) |
| 18 result.reset(); | 19 result.reset(); |
| 19 return result.Pass(); | 20 return result.Pass(); |
| 20 } | 21 } |
| 21 | 22 |
| 22 bool CTLogVerifier::Verify(const ct::LogEntry& entry, | 23 bool CTLogVerifier::Verify(const ct::LogEntry& entry, |
| 23 const ct::SignedCertificateTimestamp& sct) { | 24 const ct::SignedCertificateTimestamp& sct) { |
| 24 if (sct.log_id != key_id()) { | 25 if (sct.log_id != key_id()) { |
| 25 DVLOG(1) << "SCT is not signed by this log."; | 26 DVLOG(1) << "SCT is not signed by this log."; |
| 26 return false; | 27 return false; |
| 27 } | 28 } |
| 28 | 29 |
| 29 if (sct.signature.hash_algorithm != hash_algorithm_) { | 30 if (!SignatureParametersMatch(sct.signature)) |
| 30 DVLOG(1) << "Mismatched hash algorithm. Expected " << hash_algorithm_ | |
| 31 << ", got " << sct.signature.hash_algorithm << "."; | |
| 32 return false; | 31 return false; |
| 33 } | |
| 34 | |
| 35 if (sct.signature.signature_algorithm != signature_algorithm_) { | |
| 36 DVLOG(1) << "Mismatched sig algorithm. Expected " << signature_algorithm_ | |
| 37 << ", got " << sct.signature.signature_algorithm << "."; | |
| 38 return false; | |
| 39 } | |
| 40 | 32 |
| 41 std::string serialized_log_entry; | 33 std::string serialized_log_entry; |
| 42 if (!ct::EncodeLogEntry(entry, &serialized_log_entry)) { | 34 if (!ct::EncodeLogEntry(entry, &serialized_log_entry)) { |
| 43 DVLOG(1) << "Unable to serialize entry."; | 35 DVLOG(1) << "Unable to serialize entry."; |
| 44 return false; | 36 return false; |
| 45 } | 37 } |
| 46 std::string serialized_data; | 38 std::string serialized_data; |
| 47 if (!ct::EncodeV1SCTSignedData(sct.timestamp, serialized_log_entry, | 39 if (!ct::EncodeV1SCTSignedData(sct.timestamp, serialized_log_entry, |
| 48 sct.extensions, &serialized_data)) { | 40 sct.extensions, &serialized_data)) { |
| 49 DVLOG(1) << "Unable to create SCT to verify."; | 41 DVLOG(1) << "Unable to create SCT to verify."; |
| 50 return false; | 42 return false; |
| 51 } | 43 } |
| 52 | 44 |
| 53 return VerifySignature(serialized_data, sct.signature.signature_data); | 45 return VerifySignature(serialized_data, sct.signature.signature_data); |
| 54 } | 46 } |
| 55 | 47 |
| 48 bool CTLogVerifier::SetSignedTreeHead( | |
| 49 scoped_ptr<ct::SignedTreeHead> signed_tree_head) { | |
| 50 if (!SignatureParametersMatch(signed_tree_head->signature)) | |
| 51 return false; | |
| 52 | |
| 53 std::string serialized_data; | |
| 54 ct::EncodeTreeHeadSignature(*signed_tree_head.get(), &serialized_data); | |
| 55 if (VerifySignature(serialized_data, | |
| 56 signed_tree_head->signature.signature_data)) { | |
| 57 sth_.reset(signed_tree_head.release()); | |
| 58 return true; | |
| 59 } | |
| 60 return false; | |
| 61 } | |
| 62 | |
| 63 bool CTLogVerifier::SignatureParametersMatch( | |
| 64 const ct::DigitallySigned& signature) { | |
|
Ryan Sleevi
2014/04/25 23:33:19
Should this be a helper on ct::DigitallySigned?
Eran Messeri
2014/04/29 15:22:24
Done.
| |
| 65 if (signature.hash_algorithm != hash_algorithm_) { | |
| 66 DVLOG(1) << "Mismatched hash algorithm. Expected " << hash_algorithm_ | |
| 67 << ", got " << signature.hash_algorithm << "."; | |
| 68 return false; | |
| 69 } | |
| 70 | |
| 71 if (signature.signature_algorithm != signature_algorithm_) { | |
| 72 DVLOG(1) << "Mismatched sig algorithm. Expected " << signature_algorithm_ | |
| 73 << ", got " << signature.signature_algorithm << "."; | |
| 74 return false; | |
| 75 } | |
| 76 | |
| 77 return true; | |
| 78 } | |
| 79 | |
| 56 } // namespace net | 80 } // namespace net |
| OLD | NEW |
