1 // Copyright 2013 The Chromium Authors 2 // Use of this source code is governed by a BSD-style license that can be 3 // found in the LICENSE file. 4 5 #ifndef NET_CERT_CT_LOG_VERIFIER_H_ 6 #define NET_CERT_CT_LOG_VERIFIER_H_ 7 8 #include <string> 9 #include <string_view> 10 11 #include "base/gtest_prod_util.h" 12 #include "base/memory/ref_counted.h" 13 #include "net/base/net_export.h" 14 #include "net/cert/signed_certificate_timestamp.h" 15 #include "third_party/boringssl/src/include/openssl/base.h" 16 17 namespace net { 18 19 namespace ct { 20 struct MerkleAuditProof; 21 struct MerkleConsistencyProof; 22 struct SignedTreeHead; 23 } // namespace ct 24 25 // Class for verifying signatures of a single Certificate Transparency 26 // log, whose identity is provided during construction. 27 // Currently can verify Signed Certificate Timestamp (SCT) and Signed 28 // Tree Head (STH) signatures. 29 // Immutable: Does not hold any state beyond the log information it was 30 // initialized with. 31 class NET_EXPORT CTLogVerifier 32 : public base::RefCountedThreadSafe<CTLogVerifier> { 33 public: 34 // Creates a new CTLogVerifier that will verify SignedCertificateTimestamps 35 // using |public_key|, which is a DER-encoded SubjectPublicKeyInfo. 36 // If |public_key| refers to an unsupported public key, returns NULL. 37 // |description| is a textual description of the log. 38 static scoped_refptr<const CTLogVerifier> Create(std::string_view public_key, 39 std::string description); 40 41 // Returns the log's key ID (RFC6962, Section 3.2) key_id()42 const std::string& key_id() const { return key_id_; } 43 // Returns the log's human-readable description. description()44 const std::string& description() const { return description_; } 45 46 // Verifies that |sct| is valid for |entry| and was signed by this log. 47 bool Verify(const ct::SignedEntryData& entry, 48 const ct::SignedCertificateTimestamp& sct) const; 49 50 // Verifies that |signed_tree_head| is a valid Signed Tree Head (RFC 6962, 51 // Section 3.5) for this log. 52 bool VerifySignedTreeHead(const ct::SignedTreeHead& signed_tree_head) const; 53 54 // Verifies that |proof| is a valid consistency proof (RFC 6962, Section 55 // 2.1.2) for this log, and which proves that |old_tree_hash| has 56 // been fully incorporated into the Merkle tree represented by 57 // |new_tree_hash|. 58 bool VerifyConsistencyProof(const ct::MerkleConsistencyProof& proof, 59 const std::string& old_tree_hash, 60 const std::string& new_tree_hash) const; 61 62 // Verifies that |proof| is a valid audit proof (RFC 6962, Section 2.1.1) for 63 // this log, and which proves that the certificate represented by |leaf_hash| 64 // has been incorporated into the Merkle tree represented by |root_hash|. 65 // Returns true if verification succeeds, false otherwise. 66 bool VerifyAuditProof(const ct::MerkleAuditProof& proof, 67 const std::string& root_hash, 68 const std::string& leaf_hash) const; 69 70 private: 71 FRIEND_TEST_ALL_PREFIXES(CTLogVerifierTest, VerifySignature); 72 friend class base::RefCountedThreadSafe<CTLogVerifier>; 73 74 explicit CTLogVerifier(std::string description); 75 ~CTLogVerifier(); 76 77 // Performs crypto-library specific initialization. 78 bool Init(std::string_view public_key); 79 80 // Performs the underlying verification using the selected public key. Note 81 // that |signature| contains the raw signature data (eg: without any 82 // DigitallySigned struct encoding). 83 bool VerifySignature(std::string_view data_to_sign, 84 std::string_view signature) const; 85 86 // Returns true if the signature and hash algorithms in |signature| 87 // match those of the log 88 bool SignatureParametersMatch(const ct::DigitallySigned& signature) const; 89 90 std::string key_id_; 91 std::string description_; 92 ct::DigitallySigned::HashAlgorithm hash_algorithm_ = 93 ct::DigitallySigned::HASH_ALGO_NONE; 94 ct::DigitallySigned::SignatureAlgorithm signature_algorithm_ = 95 ct::DigitallySigned::SIG_ALGO_ANONYMOUS; 96 97 bssl::UniquePtr<EVP_PKEY> public_key_; 98 }; 99 100 } // namespace net 101 102 #endif // NET_CERT_CT_LOG_VERIFIER_H_ 103