Chromium Code Reviews Chromium Code Reviews
Issue 230713002:
Certificate Transparency: Parse Signed Tree Heads and validate them (Closed)
Base URL: https://chromium.googlesource.com/chromium/src.git@master| Index: net/cert/ct_log_response_parser.cc |
| diff --git a/net/cert/ct_log_response_parser.cc b/net/cert/ct_log_response_parser.cc |
| new file mode 100644 |
| index 0000000000000000000000000000000000000000..891b243fe76d5fe3127bdbc1925091cdcebcee00 |
| --- /dev/null |
| +++ b/net/cert/ct_log_response_parser.cc |
| @@ -0,0 +1,141 @@ |
| +// Copyright 2014 The Chromium Authors. All rights reserved. |
| +// Use of this source code is governed by a BSD-style license that can be |
| +// found in the LICENSE file. |
| + |
| +#include "net/cert/ct_log_response_parser.h" |
| + |
| +#include "base/base64.h" |
| +#include "base/json/json_reader.h" |
| +#include "base/json/json_value_converter.h" |
| +#include "base/logging.h" |
| +#include "base/strings/string_piece.h" |
| +#include "base/time/time.h" |
| +#include "base/values.h" |
| +#include "net/cert/ct_serialization.h" |
| +#include "net/cert/signed_tree_head.h" |
| + |
| +namespace net { |
| + |
| +namespace ct { |
| + |
| +namespace { |
| + |
| +// Structure for making JSON decoding easier. The string fields |
| +// are base64-encoded so will require further decoding. |
| +struct JsonSignedTreeHead { |
| + int tree_size; |
| + double timestamp; |
| + std::string sha256_root_hash; |
| + DigitallySigned signature; |
| + |
| + static void RegisterJSONConverter( |
| + base::JSONValueConverter<JsonSignedTreeHead>* converted); |
| +}; |
| + |
| +bool ConvertSha256RootHash(const base::StringPiece& s, std::string* result) { |
| + if (!base::Base64Decode(s, result)) { |
| + DVLOG(1) << "Failed decoding sha256_root_hash"; |
| + return false; |
| + } |
| + |
| + if (result->length() != kSthRootHashLength) { |
| + DVLOG(1) << "sha256_root_hash is expected to be 32 bytes, but is " |
| + << result->length() << " bytes."; |
| + return false; |
| + } |
| + |
| + return true; |
| +} |
| + |
| +bool ConvertTreeHeadSignature(const base::StringPiece& s, |
| + DigitallySigned* result) { |
| + std::string tree_head_signature; |
| + if (!base::Base64Decode(s, &tree_head_signature)) { |
| + DVLOG(1) << "Failed decoding tree_head_signature"; |
| + return false; |
| + } |
| + |
| + base::StringPiece sp(tree_head_signature); |
| + if (!DecodeDigitallySigned(&sp, result)) { |
| + DVLOG(1) << "Failed decoding signature to DigitallySigned"; |
| + return false; |
| + } |
| + return true; |
| +} |
| + |
| +void JsonSignedTreeHead::RegisterJSONConverter( |
| + base::JSONValueConverter<JsonSignedTreeHead>* converter) { |
| + converter->RegisterIntField("tree_size", &JsonSignedTreeHead::tree_size); |
| + converter->RegisterDoubleField("timestamp", &JsonSignedTreeHead::timestamp); |
| + converter->RegisterCustomField("sha256_root_hash", |
| + &JsonSignedTreeHead::sha256_root_hash, |
| + &ConvertSha256RootHash); |
| + converter->RegisterCustomField<DigitallySigned>( |
| + "tree_head_signature", |
| + &JsonSignedTreeHead::signature, |
| + &ConvertTreeHeadSignature); |
| +} |
| + |
| +bool IsJsonSTHStructurallyValid(const JsonSignedTreeHead& sth) { |
| + if (sth.tree_size < 0) { |
| + DVLOG(1) << "Tree size in Signed Tree Head JSON is negative: " |
| + << sth.tree_size; |
| + return false; |
| + } |
| + |
| + if (sth.timestamp < 0) { |
| + DVLOG(1) << "Timestamp in Signed Tree Head JSON is negative: " |
| + << sth.timestamp; |
| + return false; |
| + } |
| + |
| + if (sth.sha256_root_hash.empty()) { |
| + DVLOG(1) << "Missing SHA256 root hash from Signed Tree Head JSON."; |
| + return false; |
| + } |
| + |
| + if (sth.signature.signature_data.empty()) { |
| + DVLOG(1) << "Missing SHA256 root hash from Signed Tree Head JSON."; |
| + return false; |
| + } |
| + |
| + return true; |
| +} |
| + |
| +} // namespace |
| + |
| +bool FillSignedTreeHead(const base::StringPiece& json_signed_tree_head, |
| + SignedTreeHead* signed_tree_head) { |
| + base::JSONReader json_reader; |
| + scoped_ptr<base::Value> json(json_reader.Read(json_signed_tree_head)); |
| + if (json.get() == NULL) { |
| + DVLOG(1) << "Empty Signed Tree Head JSON."; |
| + return false; |
| + } |
| + |
| + JsonSignedTreeHead parsed_sth; |
| + base::JSONValueConverter<JsonSignedTreeHead> converter; |
| + if (!converter.Convert(*json.get(), &parsed_sth)) { |
| + DVLOG(1) << "Invalid Signed Tree Head JSON."; |
| + return false; |
| + } |
| + |
| + if (!IsJsonSTHStructurallyValid(parsed_sth)) { |
|
Ryan Sleevi
2014/05/08 01:11:54
nit: no braces for the one-liner
Eran Messeri
2014/05/12 20:33:55
Done.
|
| + return false; |
| + } |
| + |
| + signed_tree_head->version = SignedTreeHead::V1; |
| + signed_tree_head->tree_size = parsed_sth.tree_size; |
| + signed_tree_head->timestamp = |
| + base::Time::UnixEpoch() + |
| + base::TimeDelta::FromMilliseconds(parsed_sth.timestamp); |
| + signed_tree_head->signature = parsed_sth.signature; |
| + memcpy(signed_tree_head->sha256_root_hash, |
| + parsed_sth.sha256_root_hash.c_str(), |
| + kSthRootHashLength); |
| + return true; |
| +} |
| + |
| +} // namespace ct |
| + |
| +} // namespace net |
