Chromium Code Reviews Chromium Code Reviews
Issue 230713002:
Certificate Transparency: Parse Signed Tree Heads and validate them (Closed)
Base URL: https://chromium.googlesource.com/chromium/src.git@master| Index: net/cert/ct_log_response_parser.cc |
| diff --git a/net/cert/ct_log_response_parser.cc b/net/cert/ct_log_response_parser.cc |
| new file mode 100644 |
| index 0000000000000000000000000000000000000000..7537243402bd0cbf47aadc15f7fad1e9f65a405f |
| --- /dev/null |
| +++ b/net/cert/ct_log_response_parser.cc |
| @@ -0,0 +1,96 @@ |
| +// Copyright 2014 The Chromium Authors. All rights reserved. |
| +// Use of this source code is governed by a BSD-style license that can be |
| +// found in the LICENSE file. |
| + |
| +#include "net/cert/ct_log_response_parser.h" |
| + |
| +#include "base/base64.h" |
| +#include "base/json/json_reader.h" |
| +#include "base/logging.h" |
| +#include "base/time/time.h" |
| +#include "base/values.h" |
| +#include "net/cert/ct_serialization.h" |
| +#include "net/cert/signed_tree_head.h" |
| + |
| +namespace net { |
| + |
| +namespace ct { |
| + |
| +bool CTLogResponseParser::FillSignedTreeHead(const base::StringPiece& json_sth, |
| + SignedTreeHead* sth) { |
| + base::JSONReader json_reader; |
| + base::Value* json = json_reader.Read(json_sth); |
|
Ryan Sleevi
2014/04/09 18:23:11
Have you looked at base/json/json_value_converter.
Eran Messeri
2014/04/10 21:08:29
It does make life easier - used than instead, than
|
| + if (json == NULL) { |
| + DVLOG(1) << "Empty Signed Tree Head JSON."; |
| + return false; |
| + } |
| + |
| + const base::DictionaryValue* json_dict; |
| + if (!json->GetAsDictionary(&json_dict)) { |
| + DVLOG(1) << "Json STH is not a dictionary."; |
| + return false; |
| + } |
| + |
| + int tree_size; |
| + if (!json_dict->GetInteger("tree_size", &tree_size)) { |
| + DVLOG(1) << "Missing tree_size in Json STH"; |
| + return false; |
| + } |
| + |
| + double timestamp; |
| + if (!json_dict->GetDouble("timestamp", ×tamp)) { |
| + DVLOG(1) << "Missing timestamp in Json STH"; |
| + return false; |
| + } |
| + |
| + std::string sha256_root_hash; |
| + if (!json_dict->GetString("sha256_root_hash", &sha256_root_hash)) { |
| + DVLOG(1) << "Missing sha256_root_hash in Json STH"; |
| + return false; |
| + } |
| + |
| + std::string tree_head_signature; |
| + if (!json_dict->GetString("tree_head_signature", &tree_head_signature)) { |
| + DVLOG(1) << "Missing tree_head_signature in Json STH"; |
| + return false; |
| + } |
| + |
| + std::string decoded_root_hash; |
| + if (!base::Base64Decode(sha256_root_hash, &decoded_root_hash)) { |
| + DVLOG(1) << "Failed decoding sha256_root_hash"; |
| + return false; |
| + } |
| + |
| + if (decoded_root_hash.length() != kSthRootHashLength) { |
| + DVLOG(1) << "sha256_root_hash is expected to be 32 bytes, but is " |
| + << decoded_root_hash.length() << " bytes."; |
| + return false; |
| + } |
| + |
| + std::string decoded_signature; |
| + if (!base::Base64Decode(tree_head_signature, &decoded_signature)) { |
| + DVLOG(1) << "Failed decoding tree_head_signature"; |
| + return false; |
| + } |
| + |
| + // It's OK to decode the signature directly into the output as this is the |
| + // last check before filling in all other fields. |
| + // If decoding of the DigitallySigned part fails, the STH will not contain |
| + // partial data. If it passes, all other fields will be filled as well. |
| + base::StringPiece sp(decoded_signature); |
| + if (!DecodeDigitallySigned(&sp, &(sth->signature))) { |
| + DVLOG(1) << "Failed decoding signature to DigitallySigned"; |
| + return false; |
| + } |
| + |
| + sth->version = SignedTreeHead::V1; |
| + sth->tree_size = tree_size; |
| + sth->timestamp = |
| + base::Time::UnixEpoch() + base::TimeDelta::FromMilliseconds(timestamp); |
| + memcpy(sth->sha256_root_hash, decoded_root_hash.c_str(), kSthRootHashLength); |
| + return true; |
| +} |
| + |
| +} // namespace ct |
| + |
| +} // namespace net |
