Rename net::ct::LogEntry to SignedEntryData and clarify the comment.

net/cert/signed_certificate_timestamp.h

 // Copyright 2013 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #ifndef NET_CERT_SIGNED_CERTIFICATE_TIMESTAMP_H_
 #define NET_CERT_SIGNED_CERTIFICATE_TIMESTAMP_H_
 
 #include <string>
 #include <vector>
 
 #include "base/macros.h"
 #include "base/memory/ref_counted.h"
 #include "base/time/time.h"
 #include "net/base/hash_value.h"
 #include "net/base/net_export.h"
 
 namespace base {
 class Pickle;
 class PickleIterator;
 }
 
 namespace net {
 
 // Structures related to Certificate Transparency (RFC6962).
 namespace ct {
 
-// LogEntry struct in RFC 6962, Section 3.1
+// Similar to LogEntry struct in RFC 6962, Section 3.1, with the following
+// differences:
+// 1. Only contains end-entities, no chains.
+// 2. Instead of a Precertificate, it contains a PreCert(from Section 3.2).
+//    (Precertificate = Certificate with poison extension
+//     PreCert = issuer_key_hash + TBSCertificate without poison extension)

[Ryan Sleevi, 2017/04/18 14:53:29]

Right, this is actually the signed_entry of an SCT from
https://tools.ietf.org/html/rfc6962#section-3.2

Maybe this should be renamed SignedEntryData?

Eran, what do you think?

It'd be much larger to rename, so I'm not necessarily requesting that in this
CL, but perhaps that context is worth updating the comment to reflect that.

// Contains the data necessary to reconstruct the signed_entry
// of a SignedCertificateTimestamp, from RFC 6962, Section 3.2.
//
// All the data necessary to validate a SignedCertificateTimestamp
// is present within the SignedCertificateTimestamp, except for
// the signature_type, entry_type, and the actual entry. The only
// supported signature_type at present is certificate_timestamp.
// The entry_type is implicit from the context in which it is
// received (those in the X.509 extension are precert_entry, all
// others are x509_entry). The signed_entry itself is
// reconstructed from the certificate (or precertificate) being
// verified.
// The SignedEntryData contains this reconstructed data, and can
// be used to either generate or verify SCTs.


(Is the very wordy answer)

WDYT?

[Eran Messeri, 2017/04/19 10:42:07]

Nit: The precertificate isn't being verified - it could be a certificate
corresponding to a precertificate that's being verified. That bit in the comment
seems to me a bit confusing.
Nit: Verify the signature in the SCT? 
I agree - SignedEntryData sounds like a much better name. The assessment that
this is not really a 'LogEntry' struct as defined in 6962 Section 3.1. is
accurate, this structure is indeed only useful for reconstructing the data which
is signed by the signature in the SignedCertificateTimestamp.

[mattm, 2017/04/21 21:12:15]

Done.

 struct NET_EXPORT LogEntry {
   // LogEntryType enum in RFC 6962, Section 3.1
   enum Type {
     LOG_ENTRY_TYPE_X509 = 0,
     LOG_ENTRY_TYPE_PRECERT = 1
   };
 
   LogEntry();
   ~LogEntry();
   void Reset();
 
   Type type;
 
   // Set if type == LOG_ENTRY_TYPE_X509
   std::string leaf_certificate;
 
+  // PreCert struct in RFC 6962, Section 3.2.
   // Set if type == LOG_ENTRY_TYPE_PRECERT
   SHA256HashValue issuer_key_hash;
   std::string tbs_certificate;
 };
 
 // Helper structure to represent Digitally Signed data, as described in
 // Sections 4.7 and 7.4.1.4.1 of RFC 5246.
 struct NET_EXPORT_PRIVATE DigitallySigned {
   enum HashAlgorithm {
     HASH_ALGO_NONE = 0,
@@ skipping 76 matching lines @@
   ~SignedCertificateTimestamp();
 
   DISALLOW_COPY_AND_ASSIGN(SignedCertificateTimestamp);
 };
 
 }  // namespace ct
 
 }  // namespace net
 
 #endif  // NET_CERT_SIGNED_CERTIFICATE_TIMESTAMP_H_