CT: Adding SCT verification functionality: A CTLogVerifier instance can verify SCTs signed by a sin…

net/cert/ct_log_verifier.cc

+// Copyright (c) 2013 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#include "net/cert/ct_log_verifier.h"
+
+#include "base/logging.h"
+#include "net/cert/ct_serialization.h"
+
+namespace net {
+
+// static
+scoped_ptr<CTLogVerifier> CTLogVerifier::Create(
+    const base::StringPiece& public_key,
+    const base::StringPiece& description) {
+  scoped_ptr<CTLogVerifier> result(new CTLogVerifier());
+  if (!result->Init(public_key, description))
+    result.reset();
+  return result.Pass();
+}
+
+bool CTLogVerifier::VerifySCT(const ct::LogEntry& entry,
+                              const ct::SignedCertificateTimestamp& sct) {
+  if (sct.log_id != key_id()) {
+    DVLOG(1) << "SCT is not signed by this log.";
+    return false;
+  }
+
+  if (sct.signature.hash_algorithm != hash_algorithm_) {
+    DVLOG(1) << "Mismatched hash algorithm. Expected " << hash_algorithm_
+             << ", got " << sct.signature.hash_algorithm << ".";
+    return false;
+  }
+
+  if (sct.signature.signature_algorithm != sig_algorithm_) {
+    DVLOG(1) << "Mismatched sig algorithm. Expected " << sig_algorithm_
+             << ", got " << sct.signature.signature_algorithm << ".";
+    return false;
+  }
+
+  std::string serialized_log_entry;
+  if (!ct::EncodeLogEntry(entry, &serialized_log_entry)) {
+    DVLOG(1) << "Unable to serialize entry.";
+    return false;
+  }
+  std::string serialized_data;
+  if (!ct::EncodeV1SCTSignedData(sct.timestamp, serialized_log_entry,
+                                 sct.extensions, &serialized_data)) {
+    DVLOG(1) << "Unable to create SCT to verify.";
+    return false;
+  }
+
+  return VerifySignature(serialized_data, sct.signature.signature_data);
+}
+
+}  // namespace net