xref: /aosp_15_r20/external/cronet/net/cert/ct_log_verifier.h (revision 6777b5387eb2ff775bb5750e3f5d96f37fb7352b) 
1*6777b538SAndroid Build Coastguard Worker // Copyright 2013 The Chromium Authors
2*6777b538SAndroid Build Coastguard Worker // Use of this source code is governed by a BSD-style license that can be
3*6777b538SAndroid Build Coastguard Worker // found in the LICENSE file.
4*6777b538SAndroid Build Coastguard Worker 
5*6777b538SAndroid Build Coastguard Worker #ifndef NET_CERT_CT_LOG_VERIFIER_H_
6*6777b538SAndroid Build Coastguard Worker #define NET_CERT_CT_LOG_VERIFIER_H_
7*6777b538SAndroid Build Coastguard Worker 
8*6777b538SAndroid Build Coastguard Worker #include <string>
9*6777b538SAndroid Build Coastguard Worker #include <string_view>
10*6777b538SAndroid Build Coastguard Worker 
11*6777b538SAndroid Build Coastguard Worker #include "base/gtest_prod_util.h"
12*6777b538SAndroid Build Coastguard Worker #include "base/memory/ref_counted.h"
13*6777b538SAndroid Build Coastguard Worker #include "net/base/net_export.h"
14*6777b538SAndroid Build Coastguard Worker #include "net/cert/signed_certificate_timestamp.h"
15*6777b538SAndroid Build Coastguard Worker #include "third_party/boringssl/src/include/openssl/base.h"
16*6777b538SAndroid Build Coastguard Worker 
17*6777b538SAndroid Build Coastguard Worker namespace net {
18*6777b538SAndroid Build Coastguard Worker 
19*6777b538SAndroid Build Coastguard Worker namespace ct {
20*6777b538SAndroid Build Coastguard Worker struct MerkleAuditProof;
21*6777b538SAndroid Build Coastguard Worker struct MerkleConsistencyProof;
22*6777b538SAndroid Build Coastguard Worker struct SignedTreeHead;
23*6777b538SAndroid Build Coastguard Worker }  // namespace ct
24*6777b538SAndroid Build Coastguard Worker 
25*6777b538SAndroid Build Coastguard Worker // Class for verifying signatures of a single Certificate Transparency
26*6777b538SAndroid Build Coastguard Worker // log, whose identity is provided during construction.
27*6777b538SAndroid Build Coastguard Worker // Currently can verify Signed Certificate Timestamp (SCT) and Signed
28*6777b538SAndroid Build Coastguard Worker // Tree Head (STH) signatures.
29*6777b538SAndroid Build Coastguard Worker // Immutable: Does not hold any state beyond the log information it was
30*6777b538SAndroid Build Coastguard Worker // initialized with.
31*6777b538SAndroid Build Coastguard Worker class NET_EXPORT CTLogVerifier
32*6777b538SAndroid Build Coastguard Worker     : public base::RefCountedThreadSafe<CTLogVerifier> {
33*6777b538SAndroid Build Coastguard Worker  public:
34*6777b538SAndroid Build Coastguard Worker   // Creates a new CTLogVerifier that will verify SignedCertificateTimestamps
35*6777b538SAndroid Build Coastguard Worker   // using |public_key|, which is a DER-encoded SubjectPublicKeyInfo.
36*6777b538SAndroid Build Coastguard Worker   // If |public_key| refers to an unsupported public key, returns NULL.
37*6777b538SAndroid Build Coastguard Worker   // |description| is a textual description of the log.
38*6777b538SAndroid Build Coastguard Worker   static scoped_refptr<const CTLogVerifier> Create(std::string_view public_key,
39*6777b538SAndroid Build Coastguard Worker                                                    std::string description);
40*6777b538SAndroid Build Coastguard Worker 
41*6777b538SAndroid Build Coastguard Worker   // Returns the log's key ID (RFC6962, Section 3.2)
key_id()42*6777b538SAndroid Build Coastguard Worker   const std::string& key_id() const { return key_id_; }
43*6777b538SAndroid Build Coastguard Worker   // Returns the log's human-readable description.
description()44*6777b538SAndroid Build Coastguard Worker   const std::string& description() const { return description_; }
45*6777b538SAndroid Build Coastguard Worker 
46*6777b538SAndroid Build Coastguard Worker   // Verifies that |sct| is valid for |entry| and was signed by this log.
47*6777b538SAndroid Build Coastguard Worker   bool Verify(const ct::SignedEntryData& entry,
48*6777b538SAndroid Build Coastguard Worker               const ct::SignedCertificateTimestamp& sct) const;
49*6777b538SAndroid Build Coastguard Worker 
50*6777b538SAndroid Build Coastguard Worker   // Verifies that |signed_tree_head| is a valid Signed Tree Head (RFC 6962,
51*6777b538SAndroid Build Coastguard Worker   // Section 3.5) for this log.
52*6777b538SAndroid Build Coastguard Worker   bool VerifySignedTreeHead(const ct::SignedTreeHead& signed_tree_head) const;
53*6777b538SAndroid Build Coastguard Worker 
54*6777b538SAndroid Build Coastguard Worker   // Verifies that |proof| is a valid consistency proof (RFC 6962, Section
55*6777b538SAndroid Build Coastguard Worker   // 2.1.2) for this log, and which proves that |old_tree_hash| has
56*6777b538SAndroid Build Coastguard Worker   // been fully incorporated into the Merkle tree represented by
57*6777b538SAndroid Build Coastguard Worker   // |new_tree_hash|.
58*6777b538SAndroid Build Coastguard Worker   bool VerifyConsistencyProof(const ct::MerkleConsistencyProof& proof,
59*6777b538SAndroid Build Coastguard Worker                               const std::string& old_tree_hash,
60*6777b538SAndroid Build Coastguard Worker                               const std::string& new_tree_hash) const;
61*6777b538SAndroid Build Coastguard Worker 
62*6777b538SAndroid Build Coastguard Worker   // Verifies that |proof| is a valid audit proof (RFC 6962, Section 2.1.1) for
63*6777b538SAndroid Build Coastguard Worker   // this log, and which proves that the certificate represented by |leaf_hash|
64*6777b538SAndroid Build Coastguard Worker   // has been incorporated into the Merkle tree represented by |root_hash|.
65*6777b538SAndroid Build Coastguard Worker   // Returns true if verification succeeds, false otherwise.
66*6777b538SAndroid Build Coastguard Worker   bool VerifyAuditProof(const ct::MerkleAuditProof& proof,
67*6777b538SAndroid Build Coastguard Worker                         const std::string& root_hash,
68*6777b538SAndroid Build Coastguard Worker                         const std::string& leaf_hash) const;
69*6777b538SAndroid Build Coastguard Worker 
70*6777b538SAndroid Build Coastguard Worker  private:
71*6777b538SAndroid Build Coastguard Worker   FRIEND_TEST_ALL_PREFIXES(CTLogVerifierTest, VerifySignature);
72*6777b538SAndroid Build Coastguard Worker   friend class base::RefCountedThreadSafe<CTLogVerifier>;
73*6777b538SAndroid Build Coastguard Worker 
74*6777b538SAndroid Build Coastguard Worker   explicit CTLogVerifier(std::string description);
75*6777b538SAndroid Build Coastguard Worker   ~CTLogVerifier();
76*6777b538SAndroid Build Coastguard Worker 
77*6777b538SAndroid Build Coastguard Worker   // Performs crypto-library specific initialization.
78*6777b538SAndroid Build Coastguard Worker   bool Init(std::string_view public_key);
79*6777b538SAndroid Build Coastguard Worker 
80*6777b538SAndroid Build Coastguard Worker   // Performs the underlying verification using the selected public key. Note
81*6777b538SAndroid Build Coastguard Worker   // that |signature| contains the raw signature data (eg: without any
82*6777b538SAndroid Build Coastguard Worker   // DigitallySigned struct encoding).
83*6777b538SAndroid Build Coastguard Worker   bool VerifySignature(std::string_view data_to_sign,
84*6777b538SAndroid Build Coastguard Worker                        std::string_view signature) const;
85*6777b538SAndroid Build Coastguard Worker 
86*6777b538SAndroid Build Coastguard Worker   // Returns true if the signature and hash algorithms in |signature|
87*6777b538SAndroid Build Coastguard Worker   // match those of the log
88*6777b538SAndroid Build Coastguard Worker   bool SignatureParametersMatch(const ct::DigitallySigned& signature) const;
89*6777b538SAndroid Build Coastguard Worker 
90*6777b538SAndroid Build Coastguard Worker   std::string key_id_;
91*6777b538SAndroid Build Coastguard Worker   std::string description_;
92*6777b538SAndroid Build Coastguard Worker   ct::DigitallySigned::HashAlgorithm hash_algorithm_ =
93*6777b538SAndroid Build Coastguard Worker       ct::DigitallySigned::HASH_ALGO_NONE;
94*6777b538SAndroid Build Coastguard Worker   ct::DigitallySigned::SignatureAlgorithm signature_algorithm_ =
95*6777b538SAndroid Build Coastguard Worker       ct::DigitallySigned::SIG_ALGO_ANONYMOUS;
96*6777b538SAndroid Build Coastguard Worker 
97*6777b538SAndroid Build Coastguard Worker   bssl::UniquePtr<EVP_PKEY> public_key_;
98*6777b538SAndroid Build Coastguard Worker };
99*6777b538SAndroid Build Coastguard Worker 
100*6777b538SAndroid Build Coastguard Worker }  // namespace net
101*6777b538SAndroid Build Coastguard Worker 
102*6777b538SAndroid Build Coastguard Worker #endif  // NET_CERT_CT_LOG_VERIFIER_H_
103