CT: Adding preliminary Certificate Transparency support to Chromium.

net/cert/single_log_ct_verifier.cc

Index: net/cert/single_log_ct_verifier.cc
diff --git a/net/cert/single_log_ct_verifier.cc b/net/cert/single_log_ct_verifier.cc
new file mode 100644
index 0000000000000000000000000000000000000000..874b7e623cea540f76cddfc6efddf90869b2e621
--- /dev/null
+++ b/net/cert/single_log_ct_verifier.cc
@@ -0,0 +1,109 @@
+// Copyright (c) 2013 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#include "net/cert/single_log_ct_verifier.h"
+
+#include "net/base/net_errors.h"
+#include "net/base/net_log.h"
+#include "net/cert/ct_log_verifier.h"
+#include "net/cert/ct_objects_extractor.h"
+#include "net/cert/ct_serialization.h"
+#include "net/cert/ct_verify_result.h"
+#include "net/cert/signed_certificate_timestamp.h"
+#include "net/cert/x509_certificate.h"
+
+namespace net {
+
+SingleLogCTVerifier::SingleLogCTVerifier(
+    scoped_ptr<CTLogVerifier> log_verifier)
+    : log_(log_verifier.Pass()) {
+}
+
+SingleLogCTVerifier::~SingleLogCTVerifier() {
+}
+
+int SingleLogCTVerifier::Verify(X509Certificate* cert,
+                                X509Certificate* verified_cert,
+                                ct::CTVerifyResult* result,
+                                const CompletionCallback& callback,
+                                const BoundNetLog& net_log) {
+  DCHECK(cert);
+  DCHECK(result);
+
+  std::string embedded_scts;
+  ct::LogEntry embedded_log_entry;
+
+  result->verified_scts.clear();
+  result->unverified_scts.clear();
+  result->unknown_logs_scts.clear();
+
+  bool has_valid_embedded_sct =
+      !verified_cert->GetIntermediateCertificates().empty() &&
+      ct::ExtractEmbeddedSCTs(cert->os_cert_handle(), &embedded_scts) &&
+      ct::GetPrecertLogEntry(
+          cert->os_cert_handle(),
+          verified_cert->GetIntermediateCertificates().front(),
+          &embedded_log_entry) &&
+      VerifySCTs(embedded_scts, embedded_log_entry, result);
+
+  if (!has_valid_embedded_sct) {
+    // XXX(rsleevi): Add some SCT error codes?
+    return ERR_FAILED;
+  }
+
+  return OK;
+}
+
+bool SingleLogCTVerifier::VerifySCTs(const std::string& encoded_sct_list,
+                                     const ct::LogEntry& expected_entry,
+                                     ct::CTVerifyResult* result) {
+  if (!log_)
+    return false;
+
+  base::StringPiece temp(encoded_sct_list);
+  std::vector<base::StringPiece> sct_list;
+
+  if (!ct::DecodeSCTList(&temp, &sct_list))
+    return false;
+
+  bool verified = false;
+  for (std::vector<base::StringPiece>::const_iterator it = sct_list.begin();
+       it != sct_list.end(); ++it) {
+    base::StringPiece temp_sct(*it);
+    ct::SignedCertificateTimestamp decoded_sct;
+    if (!DecodeSignedCertificateTimestamp(&temp_sct, &decoded_sct)) {
+      // XXX(rsleevi): Should we really just skip over bad SCTs?
+      continue;
+    }
+    // Assume this SCT is untrusted until proven otherwise.
+    result->unverified_scts.push_back(decoded_sct);
+
+    CTLogVerifier::VerifyResult verify_result =
+        log_->Verify(expected_entry, decoded_sct);
+    if (verify_result == CTLogVerifier::SCT_NOT_FROM_THIS_LOG) {
+      DVLOG(1) << "SCT does not match this log.";
+      result->unverified_scts.pop_back();
+      result->unknown_logs_scts.push_back(decoded_sct);
+      continue;
+    } else if (verify_result != CTLogVerifier::SCT_VERIFIED_OK) {
+      DVLOG(1) << "Unable to verify SCT signature.";
+      continue;
+    }
+
+    if (decoded_sct.timestamp + base::TimeDelta::FromSeconds(1) >
+        base::Time::Now()) {
+      DVLOG(1) << "SCT is from the future!";
+      continue;
+    }
+
+    // Proven otherwise - remove.
+    result->unverified_scts.pop_back();
+    result->verified_scts.push_back(decoded_sct);
+    verified = true;
+  }
+
+  return verified;
+}
+
+}  // namespace net