1 // Copyright 2013 The Chromium Authors. All rights reserved. 2 // Use of this source code is governed by a BSD-style license that can be 3 // found in the LICENSE file. 4 5 #ifndef NET_CERT_SIGNED_CERTIFICATE_TIMESTAMP_H_ 6 #define NET_CERT_SIGNED_CERTIFICATE_TIMESTAMP_H_ 7 8 #include <string> 9 #include <vector> 10 11 #include "base/macros.h" 12 #include "base/memory/ref_counted.h" 13 #include "base/time/time.h" 14 #include "net/base/hash_value.h" 15 #include "net/base/net_export.h" 16 17 namespace base { 18 class Pickle; 19 class PickleIterator; 20 } 21 22 namespace net { 23 24 // Structures related to Certificate Transparency (RFC6962). 25 namespace ct { 26 27 // Contains the data necessary to reconstruct the signed_entry of a 28 // SignedCertificateTimestamp, from RFC 6962, Section 3.2. 29 // 30 // All the data necessary to validate a SignedCertificateTimestamp is present 31 // within the SignedCertificateTimestamp, except for the signature_type, 32 // entry_type, and the actual entry. The only supported signature_type at 33 // present is certificate_timestamp. The entry_type is implicit from the 34 // context in which it is received (those in the X.509 extension are 35 // precert_entry, all others are x509_entry). The signed_entry itself is 36 // reconstructed from the certificate being verified, or from the corresponding 37 // precertificate. 38 // 39 // The SignedEntryData contains this reconstructed data, and can be used to 40 // either generate or verify the signature in SCTs. 41 struct NET_EXPORT SignedEntryData { 42 // LogEntryType enum in RFC 6962, Section 3.1 43 enum Type { 44 LOG_ENTRY_TYPE_X509 = 0, 45 LOG_ENTRY_TYPE_PRECERT = 1 46 }; 47 48 SignedEntryData(); 49 ~SignedEntryData(); 50 void Reset(); 51 52 Type type; 53 54 // Set if type == LOG_ENTRY_TYPE_X509 55 std::string leaf_certificate; 56 57 // Set if type == LOG_ENTRY_TYPE_PRECERT 58 SHA256HashValue issuer_key_hash; 59 std::string tbs_certificate; 60 }; 61 62 // Helper structure to represent Digitally Signed data, as described in 63 // Sections 4.7 and 7.4.1.4.1 of RFC 5246. 64 struct NET_EXPORT DigitallySigned { 65 enum HashAlgorithm { 66 HASH_ALGO_NONE = 0, 67 HASH_ALGO_MD5 = 1, 68 HASH_ALGO_SHA1 = 2, 69 HASH_ALGO_SHA224 = 3, 70 HASH_ALGO_SHA256 = 4, 71 HASH_ALGO_SHA384 = 5, 72 HASH_ALGO_SHA512 = 6, 73 }; 74 75 enum SignatureAlgorithm { 76 SIG_ALGO_ANONYMOUS = 0, 77 SIG_ALGO_RSA = 1, 78 SIG_ALGO_DSA = 2, 79 SIG_ALGO_ECDSA = 3 80 }; 81 82 DigitallySigned(); 83 ~DigitallySigned(); 84 85 // Returns true if |other_hash_algorithm| and |other_signature_algorithm| 86 // match this DigitallySigned hash and signature algorithms. 87 bool SignatureParametersMatch( 88 HashAlgorithm other_hash_algorithm, 89 SignatureAlgorithm other_signature_algorithm) const; 90 91 HashAlgorithm hash_algorithm; 92 SignatureAlgorithm signature_algorithm; 93 // 'signature' field. 94 std::string signature_data; 95 }; 96 97 // SignedCertificateTimestamp struct in RFC 6962, Section 3.2. 98 struct NET_EXPORT SignedCertificateTimestamp 99 : public base::RefCountedThreadSafe<SignedCertificateTimestamp> { 100 // Predicate functor used in maps when SignedCertificateTimestamp is used as 101 // the key. 102 struct NET_EXPORT LessThan { 103 bool operator()(const scoped_refptr<SignedCertificateTimestamp>& lhs, 104 const scoped_refptr<SignedCertificateTimestamp>& rhs) const; 105 }; 106 107 // Version enum in RFC 6962, Section 3.2. 108 enum Version { 109 V1 = 0, 110 }; 111 112 // Source of the SCT - supplementary, not defined in CT RFC. 113 // Note: The numeric values are used within histograms and should not change 114 // or be re-assigned. 115 enum Origin { 116 SCT_EMBEDDED = 0, 117 SCT_FROM_TLS_EXTENSION = 1, 118 SCT_FROM_OCSP_RESPONSE = 2, 119 SCT_ORIGIN_MAX, 120 }; 121 122 SignedCertificateTimestamp(); 123 124 void Persist(base::Pickle* pickle); 125 static scoped_refptr<SignedCertificateTimestamp> CreateFromPickle( 126 base::PickleIterator* iter); 127 128 Version version; 129 std::string log_id; 130 base::Time timestamp; 131 std::string extensions; 132 DigitallySigned signature; 133 Origin origin; 134 // The log description is not one of the SCT fields, but a user-readable 135 // name defined alongside the log key. It should not participate 136 // in equality checks as the log's description could change while 137 // the SCT would be the same. 138 std::string log_description; 139 140 private: 141 friend class base::RefCountedThreadSafe<SignedCertificateTimestamp>; 142 143 ~SignedCertificateTimestamp(); 144 145 DISALLOW_COPY_AND_ASSIGN(SignedCertificateTimestamp); 146 }; 147 148 using SCTList = std::vector<scoped_refptr<ct::SignedCertificateTimestamp>>; 149 150 } // namespace ct 151 152 } // namespace net 153 154 #endif // NET_CERT_SIGNED_CERTIFICATE_TIMESTAMP_H_ 155