1*6777b538SAndroid Build Coastguard Worker // Copyright 2013 The Chromium Authors 2*6777b538SAndroid Build Coastguard Worker // Use of this source code is governed by a BSD-style license that can be 3*6777b538SAndroid Build Coastguard Worker // found in the LICENSE file. 4*6777b538SAndroid Build Coastguard Worker 5*6777b538SAndroid Build Coastguard Worker #ifndef NET_CERT_SIGNED_CERTIFICATE_TIMESTAMP_H_ 6*6777b538SAndroid Build Coastguard Worker #define NET_CERT_SIGNED_CERTIFICATE_TIMESTAMP_H_ 7*6777b538SAndroid Build Coastguard Worker 8*6777b538SAndroid Build Coastguard Worker #include <string> 9*6777b538SAndroid Build Coastguard Worker #include <vector> 10*6777b538SAndroid Build Coastguard Worker 11*6777b538SAndroid Build Coastguard Worker #include "base/memory/ref_counted.h" 12*6777b538SAndroid Build Coastguard Worker #include "base/time/time.h" 13*6777b538SAndroid Build Coastguard Worker #include "net/base/hash_value.h" 14*6777b538SAndroid Build Coastguard Worker #include "net/base/net_export.h" 15*6777b538SAndroid Build Coastguard Worker 16*6777b538SAndroid Build Coastguard Worker namespace base { 17*6777b538SAndroid Build Coastguard Worker class Pickle; 18*6777b538SAndroid Build Coastguard Worker class PickleIterator; 19*6777b538SAndroid Build Coastguard Worker } 20*6777b538SAndroid Build Coastguard Worker 21*6777b538SAndroid Build Coastguard Worker // Structures related to Certificate Transparency (RFC6962). 22*6777b538SAndroid Build Coastguard Worker namespace net::ct { 23*6777b538SAndroid Build Coastguard Worker 24*6777b538SAndroid Build Coastguard Worker // Contains the data necessary to reconstruct the signed_entry of a 25*6777b538SAndroid Build Coastguard Worker // SignedCertificateTimestamp, from RFC 6962, Section 3.2. 26*6777b538SAndroid Build Coastguard Worker // 27*6777b538SAndroid Build Coastguard Worker // All the data necessary to validate a SignedCertificateTimestamp is present 28*6777b538SAndroid Build Coastguard Worker // within the SignedCertificateTimestamp, except for the signature_type, 29*6777b538SAndroid Build Coastguard Worker // entry_type, and the actual entry. The only supported signature_type at 30*6777b538SAndroid Build Coastguard Worker // present is certificate_timestamp. The entry_type is implicit from the 31*6777b538SAndroid Build Coastguard Worker // context in which it is received (those in the X.509 extension are 32*6777b538SAndroid Build Coastguard Worker // precert_entry, all others are x509_entry). The signed_entry itself is 33*6777b538SAndroid Build Coastguard Worker // reconstructed from the certificate being verified, or from the corresponding 34*6777b538SAndroid Build Coastguard Worker // precertificate. 35*6777b538SAndroid Build Coastguard Worker // 36*6777b538SAndroid Build Coastguard Worker // The SignedEntryData contains this reconstructed data, and can be used to 37*6777b538SAndroid Build Coastguard Worker // either generate or verify the signature in SCTs. 38*6777b538SAndroid Build Coastguard Worker struct NET_EXPORT SignedEntryData { 39*6777b538SAndroid Build Coastguard Worker // LogEntryType enum in RFC 6962, Section 3.1 40*6777b538SAndroid Build Coastguard Worker enum Type { 41*6777b538SAndroid Build Coastguard Worker LOG_ENTRY_TYPE_X509 = 0, 42*6777b538SAndroid Build Coastguard Worker LOG_ENTRY_TYPE_PRECERT = 1 43*6777b538SAndroid Build Coastguard Worker }; 44*6777b538SAndroid Build Coastguard Worker 45*6777b538SAndroid Build Coastguard Worker SignedEntryData(); 46*6777b538SAndroid Build Coastguard Worker ~SignedEntryData(); 47*6777b538SAndroid Build Coastguard Worker void Reset(); 48*6777b538SAndroid Build Coastguard Worker 49*6777b538SAndroid Build Coastguard Worker Type type = LOG_ENTRY_TYPE_X509; 50*6777b538SAndroid Build Coastguard Worker 51*6777b538SAndroid Build Coastguard Worker // Set if type == LOG_ENTRY_TYPE_X509 52*6777b538SAndroid Build Coastguard Worker std::string leaf_certificate; 53*6777b538SAndroid Build Coastguard Worker 54*6777b538SAndroid Build Coastguard Worker // Set if type == LOG_ENTRY_TYPE_PRECERT 55*6777b538SAndroid Build Coastguard Worker SHA256HashValue issuer_key_hash; 56*6777b538SAndroid Build Coastguard Worker std::string tbs_certificate; 57*6777b538SAndroid Build Coastguard Worker }; 58*6777b538SAndroid Build Coastguard Worker 59*6777b538SAndroid Build Coastguard Worker // Helper structure to represent Digitally Signed data, as described in 60*6777b538SAndroid Build Coastguard Worker // Sections 4.7 and 7.4.1.4.1 of RFC 5246. 61*6777b538SAndroid Build Coastguard Worker struct NET_EXPORT DigitallySigned { 62*6777b538SAndroid Build Coastguard Worker enum HashAlgorithm { 63*6777b538SAndroid Build Coastguard Worker HASH_ALGO_NONE = 0, 64*6777b538SAndroid Build Coastguard Worker HASH_ALGO_MD5 = 1, 65*6777b538SAndroid Build Coastguard Worker HASH_ALGO_SHA1 = 2, 66*6777b538SAndroid Build Coastguard Worker HASH_ALGO_SHA224 = 3, 67*6777b538SAndroid Build Coastguard Worker HASH_ALGO_SHA256 = 4, 68*6777b538SAndroid Build Coastguard Worker HASH_ALGO_SHA384 = 5, 69*6777b538SAndroid Build Coastguard Worker HASH_ALGO_SHA512 = 6, 70*6777b538SAndroid Build Coastguard Worker }; 71*6777b538SAndroid Build Coastguard Worker 72*6777b538SAndroid Build Coastguard Worker enum SignatureAlgorithm { 73*6777b538SAndroid Build Coastguard Worker SIG_ALGO_ANONYMOUS = 0, 74*6777b538SAndroid Build Coastguard Worker SIG_ALGO_RSA = 1, 75*6777b538SAndroid Build Coastguard Worker SIG_ALGO_DSA = 2, 76*6777b538SAndroid Build Coastguard Worker SIG_ALGO_ECDSA = 3 77*6777b538SAndroid Build Coastguard Worker }; 78*6777b538SAndroid Build Coastguard Worker 79*6777b538SAndroid Build Coastguard Worker DigitallySigned(); 80*6777b538SAndroid Build Coastguard Worker ~DigitallySigned(); 81*6777b538SAndroid Build Coastguard Worker 82*6777b538SAndroid Build Coastguard Worker // Returns true if |other_hash_algorithm| and |other_signature_algorithm| 83*6777b538SAndroid Build Coastguard Worker // match this DigitallySigned hash and signature algorithms. 84*6777b538SAndroid Build Coastguard Worker bool SignatureParametersMatch( 85*6777b538SAndroid Build Coastguard Worker HashAlgorithm other_hash_algorithm, 86*6777b538SAndroid Build Coastguard Worker SignatureAlgorithm other_signature_algorithm) const; 87*6777b538SAndroid Build Coastguard Worker 88*6777b538SAndroid Build Coastguard Worker HashAlgorithm hash_algorithm = HASH_ALGO_NONE; 89*6777b538SAndroid Build Coastguard Worker SignatureAlgorithm signature_algorithm = SIG_ALGO_ANONYMOUS; 90*6777b538SAndroid Build Coastguard Worker // 'signature' field. 91*6777b538SAndroid Build Coastguard Worker std::string signature_data; 92*6777b538SAndroid Build Coastguard Worker }; 93*6777b538SAndroid Build Coastguard Worker 94*6777b538SAndroid Build Coastguard Worker // SignedCertificateTimestamp struct in RFC 6962, Section 3.2. 95*6777b538SAndroid Build Coastguard Worker struct NET_EXPORT SignedCertificateTimestamp 96*6777b538SAndroid Build Coastguard Worker : public base::RefCountedThreadSafe<SignedCertificateTimestamp> { 97*6777b538SAndroid Build Coastguard Worker // Predicate functor used in maps when SignedCertificateTimestamp is used as 98*6777b538SAndroid Build Coastguard Worker // the key. 99*6777b538SAndroid Build Coastguard Worker struct NET_EXPORT LessThan { 100*6777b538SAndroid Build Coastguard Worker bool operator()(const scoped_refptr<SignedCertificateTimestamp>& lhs, 101*6777b538SAndroid Build Coastguard Worker const scoped_refptr<SignedCertificateTimestamp>& rhs) const; 102*6777b538SAndroid Build Coastguard Worker }; 103*6777b538SAndroid Build Coastguard Worker 104*6777b538SAndroid Build Coastguard Worker // Version enum in RFC 6962, Section 3.2. 105*6777b538SAndroid Build Coastguard Worker enum Version { 106*6777b538SAndroid Build Coastguard Worker V1 = 0, 107*6777b538SAndroid Build Coastguard Worker }; 108*6777b538SAndroid Build Coastguard Worker 109*6777b538SAndroid Build Coastguard Worker // Source of the SCT - supplementary, not defined in CT RFC. 110*6777b538SAndroid Build Coastguard Worker // Note: The numeric values are used within histograms and should not change 111*6777b538SAndroid Build Coastguard Worker // or be re-assigned. 112*6777b538SAndroid Build Coastguard Worker enum Origin { 113*6777b538SAndroid Build Coastguard Worker SCT_EMBEDDED = 0, 114*6777b538SAndroid Build Coastguard Worker SCT_FROM_TLS_EXTENSION = 1, 115*6777b538SAndroid Build Coastguard Worker SCT_FROM_OCSP_RESPONSE = 2, 116*6777b538SAndroid Build Coastguard Worker SCT_ORIGIN_MAX, 117*6777b538SAndroid Build Coastguard Worker }; 118*6777b538SAndroid Build Coastguard Worker 119*6777b538SAndroid Build Coastguard Worker SignedCertificateTimestamp(); 120*6777b538SAndroid Build Coastguard Worker 121*6777b538SAndroid Build Coastguard Worker SignedCertificateTimestamp(const SignedCertificateTimestamp&) = delete; 122*6777b538SAndroid Build Coastguard Worker SignedCertificateTimestamp& operator=(const SignedCertificateTimestamp&) = 123*6777b538SAndroid Build Coastguard Worker delete; 124*6777b538SAndroid Build Coastguard Worker 125*6777b538SAndroid Build Coastguard Worker void Persist(base::Pickle* pickle); 126*6777b538SAndroid Build Coastguard Worker static scoped_refptr<SignedCertificateTimestamp> CreateFromPickle( 127*6777b538SAndroid Build Coastguard Worker base::PickleIterator* iter); 128*6777b538SAndroid Build Coastguard Worker 129*6777b538SAndroid Build Coastguard Worker Version version = V1; 130*6777b538SAndroid Build Coastguard Worker std::string log_id; 131*6777b538SAndroid Build Coastguard Worker base::Time timestamp; 132*6777b538SAndroid Build Coastguard Worker std::string extensions; 133*6777b538SAndroid Build Coastguard Worker DigitallySigned signature; 134*6777b538SAndroid Build Coastguard Worker Origin origin = SCT_EMBEDDED; 135*6777b538SAndroid Build Coastguard Worker // The log description is not one of the SCT fields, but a user-readable 136*6777b538SAndroid Build Coastguard Worker // name defined alongside the log key. It should not participate 137*6777b538SAndroid Build Coastguard Worker // in equality checks as the log's description could change while 138*6777b538SAndroid Build Coastguard Worker // the SCT would be the same. 139*6777b538SAndroid Build Coastguard Worker std::string log_description; 140*6777b538SAndroid Build Coastguard Worker 141*6777b538SAndroid Build Coastguard Worker private: 142*6777b538SAndroid Build Coastguard Worker friend class base::RefCountedThreadSafe<SignedCertificateTimestamp>; 143*6777b538SAndroid Build Coastguard Worker 144*6777b538SAndroid Build Coastguard Worker ~SignedCertificateTimestamp(); 145*6777b538SAndroid Build Coastguard Worker }; 146*6777b538SAndroid Build Coastguard Worker 147*6777b538SAndroid Build Coastguard Worker using SCTList = std::vector<scoped_refptr<ct::SignedCertificateTimestamp>>; 148*6777b538SAndroid Build Coastguard Worker 149*6777b538SAndroid Build Coastguard Worker } // namespace net::ct 150*6777b538SAndroid Build Coastguard Worker 151*6777b538SAndroid Build Coastguard Worker #endif // NET_CERT_SIGNED_CERTIFICATE_TIMESTAMP_H_ 152