Certificate Transparency: Parse Signed Tree Heads and validate them

net/cert/ct_log_verifier.h

Index: net/cert/ct_log_verifier.h
diff --git a/net/cert/ct_log_verifier.h b/net/cert/ct_log_verifier.h
index b4ee52026746809a7c8b0e3657ceae77a1d0f6ad..b8d824cce04ae88df2e70806e440df6e30fd6923 100644
--- a/net/cert/ct_log_verifier.h
+++ b/net/cert/ct_log_verifier.h
@@ -23,6 +23,10 @@ typedef struct SECKEYPublicKeyStr SECKEYPublicKey;
 
 namespace net {
 
+namespace ct {
+struct SignedTreeHead;
+}  // namespace ct
+
 // Class for verifying Signed Certificate Timestamps (SCTs) provided by a
 // specific log (whose identity is provided during construction).
 class NET_EXPORT CTLogVerifier {
@@ -46,6 +50,10 @@ class NET_EXPORT CTLogVerifier {
   bool Verify(const ct::LogEntry& entry,
               const ct::SignedCertificateTimestamp& sct);
 
+  // Verifies and sets |sth|. If |sth|'s signature is valid, stores it and
+  // returns true. Otherwise, discards the sth and returns false.
+  bool SetSignedTreeHead(scoped_ptr<ct::SignedTreeHead> sth);

[Ryan Sleevi, 2014/04/09 18:23:11]

nit: s/sth/signed_tree_head/

[Eran Messeri, 2014/04/10 21:08:29]

Done.

+
  private:
   FRIEND_TEST_ALL_PREFIXES(CTLogVerifierTest, VerifySignature);
 
@@ -61,10 +69,15 @@ class NET_EXPORT CTLogVerifier {
   bool VerifySignature(const base::StringPiece& data_to_sign,
                        const base::StringPiece& signature);
 
+  // Returns true if the signature and hash algorithms in |signature|
+  // match those of the log
+  bool SignatureParametersMatch(const ct::DigitallySigned& signature);
+
   std::string key_id_;
   std::string description_;
   ct::DigitallySigned::HashAlgorithm hash_algorithm_;
   ct::DigitallySigned::SignatureAlgorithm signature_algorithm_;
+  scoped_ptr<ct::SignedTreeHead> sth_;
 
 #if defined(USE_OPENSSL)
   EVP_PKEY* public_key_;