CT: Adding SCT verification functionality: A CTLogVerifier instance can verify SCTs signed by a sin…

net/cert/ct_log_verifier.h

Index: net/cert/ct_log_verifier.h
diff --git a/net/cert/ct_log_verifier.h b/net/cert/ct_log_verifier.h
new file mode 100644
index 0000000000000000000000000000000000000000..c9630d65f818b86a8b41567af0a9eee765302b7d
--- /dev/null
+++ b/net/cert/ct_log_verifier.h
@@ -0,0 +1,81 @@
+// Copyright (c) 2013 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#ifndef NET_CERT_CT_LOG_VERIFIER_H_
+#define NET_CERT_CT_LOG_VERIFIER_H_
+
+#include <string>
+
+#include "base/gtest_prod_util.h"
+#include "base/memory/scoped_ptr.h"
+#include "base/strings/string_piece.h"
+#include "base/time/time.h"

[wtc, 2013/11/08 21:04:00]

This header doesn't seem necessary.

[Eran M. (Google), 2013/11/12 12:01:28]

Done.

+#include "net/base/net_export.h"
+#include "net/cert/signed_certificate_timestamp.h"
+
+// Forward declare the crypto types to avoid having to include the full
+// headers.
+#if defined(USE_OPENSSL)
+typedef struct evp_pkey_st EVP_PKEY;
+#else
+typedef struct SECKEYPublicKeyStr SECKEYPublicKey;
+#endif
+
+namespace net {
+
+/**

[wtc, 2013/11/08 21:04:00]

Chromium doesn't use this /** comment delimiter for automatic generation of
documentation. Just use //.

[Eran M. (Google), 2013/11/12 12:01:28]

Done.

+ * Class for verifying Signed Certificate Timestamps (SCTs) provided by a
+ * specific log (whose identity is provided during construction).
+ */

[Ryan Sleevi, 2013/11/08 00:30:43]

nit: Comment style: alternates between // and /* */ here. Would be good to be
consistent.

[Eran M. (Google), 2013/11/12 12:01:28]

Done.

+class NET_EXPORT CTLogVerifier {
+ public:
+  // Creates a new CTLogVerifier that will verify SignedCertificateTimestamps
+  // using |public_key|, which is a DER-encoded SubjectPublicKeyInfo.
+  // If |public_key| refers to an unsupported public key, returns NULL.
+  // |description| is an optional textual description of the log.
+  static scoped_ptr<CTLogVerifier> Create(
+      const base::StringPiece& public_key,
+      const base::StringPiece& description = "");

[Ryan Sleevi, 2013/11/08 00:30:43]

style: Default arguments are forbidden -
http://google-styleguide.googlecode.com/svn/trunk/cppguide.xml?showone=Defaul...

[Eran M. (Google), 2013/11/12 12:01:28]

Done - made required.

+
+  ~CTLogVerifier();
+
+  // Returns the log's key ID (RFC6962, Section 3.2)
+  const std::string& key_id() const { return key_id_; }
+  // Returns the log's human-readable description.
+  const std::string& description() const { return description_; }
+
+  // Verifies that |sct| contains a valid signature for |entry|.
+  bool VerifySCT(const ct::LogEntry& entry,

[wtc, 2013/11/08 21:04:00]

If this class only verifies SignedCertificateTimestamp, you can also just name
this method "Verify".

[Eran M. (Google), 2013/11/12 12:01:28]

Done.

+                 const ct::SignedCertificateTimestamp& sct);
+
+ private:
+  FRIEND_TEST_ALL_PREFIXES(CTLogVerifierTest, VerifySignature);
+
+  CTLogVerifier();
+
+  // Performs crypto-library specific initialization.
+  bool Init(const base::StringPiece& public_key,
+            const base::StringPiece& description);
+
+  // Performs the underlying verification using the selected public key. Note
+  // that |signature| contains the raw signature data (eg: without any
+  // DigitallySigned struct encoding).
+  bool VerifySignature(const base::StringPiece& data_to_sign,
+                       const base::StringPiece& signature);
+
+  std::string key_id_;
+  std::string description_;
+  ct::DigitallySigned::HashAlgorithm hash_algorithm_;
+  ct::DigitallySigned::SignatureAlgorithm sig_algorithm_;

[wtc, 2013/11/08 21:04:00]

Nit: just wanted to make sure you intended to abbreviate "signature" to "sig"
because in general our Style Guide in unfriendly to abbreviations.

[Eran M. (Google), 2013/11/12 12:01:28]

Done, replaced sig with signature.

+
+#if defined(USE_OPENSSL)
+  EVP_PKEY* public_key_;
+#else
+  SECKEYPublicKey* public_key_;
+#endif
+};
+
+}  // namespace net
+
+#endif  // NET_CERT_CT_LOG_VERIFIER_H_