1 // Copyright 2013 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
4 
5 #ifndef NET_CERT_SIGNED_CERTIFICATE_TIMESTAMP_H_
6 #define NET_CERT_SIGNED_CERTIFICATE_TIMESTAMP_H_
7 
8 #include <string>
9 #include <vector>
10 
11 #include "base/macros.h"
12 #include "base/memory/ref_counted.h"
13 #include "base/time/time.h"
14 #include "net/base/hash_value.h"
15 #include "net/base/net_export.h"
16 
17 namespace base {
18 class Pickle;
19 class PickleIterator;
20 }
21 
22 namespace net {
23 
24 // Structures related to Certificate Transparency (RFC6962).
25 namespace ct {
26 
27 // Contains the data necessary to reconstruct the signed_entry of a
28 // SignedCertificateTimestamp, from RFC 6962, Section 3.2.
29 //
30 // All the data necessary to validate a SignedCertificateTimestamp is present
31 // within the SignedCertificateTimestamp, except for the signature_type,
32 // entry_type, and the actual entry. The only supported signature_type at
33 // present is certificate_timestamp.  The entry_type is implicit from the
34 // context in which it is received (those in the X.509 extension are
35 // precert_entry, all others are x509_entry). The signed_entry itself is
36 // reconstructed from the certificate being verified, or from the corresponding
37 // precertificate.
38 //
39 // The SignedEntryData contains this reconstructed data, and can be used to
40 // either generate or verify the signature in SCTs.
41 struct NET_EXPORT SignedEntryData {
42   // LogEntryType enum in RFC 6962, Section 3.1
43   enum Type {
44     LOG_ENTRY_TYPE_X509 = 0,
45     LOG_ENTRY_TYPE_PRECERT = 1
46   };
47 
48   SignedEntryData();
49   ~SignedEntryData();
50   void Reset();
51 
52   Type type;
53 
54   // Set if type == LOG_ENTRY_TYPE_X509
55   std::string leaf_certificate;
56 
57   // Set if type == LOG_ENTRY_TYPE_PRECERT
58   SHA256HashValue issuer_key_hash;
59   std::string tbs_certificate;
60 };
61 
62 // Helper structure to represent Digitally Signed data, as described in
63 // Sections 4.7 and 7.4.1.4.1 of RFC 5246.
64 struct NET_EXPORT DigitallySigned {
65   enum HashAlgorithm {
66     HASH_ALGO_NONE = 0,
67     HASH_ALGO_MD5 = 1,
68     HASH_ALGO_SHA1 = 2,
69     HASH_ALGO_SHA224 = 3,
70     HASH_ALGO_SHA256 = 4,
71     HASH_ALGO_SHA384 = 5,
72     HASH_ALGO_SHA512 = 6,
73   };
74 
75   enum SignatureAlgorithm {
76     SIG_ALGO_ANONYMOUS = 0,
77     SIG_ALGO_RSA = 1,
78     SIG_ALGO_DSA = 2,
79     SIG_ALGO_ECDSA = 3
80   };
81 
82   DigitallySigned();
83   ~DigitallySigned();
84 
85   // Returns true if |other_hash_algorithm| and |other_signature_algorithm|
86   // match this DigitallySigned hash and signature algorithms.
87   bool SignatureParametersMatch(
88       HashAlgorithm other_hash_algorithm,
89       SignatureAlgorithm other_signature_algorithm) const;
90 
91   HashAlgorithm hash_algorithm;
92   SignatureAlgorithm signature_algorithm;
93   // 'signature' field.
94   std::string signature_data;
95 };
96 
97 // SignedCertificateTimestamp struct in RFC 6962, Section 3.2.
98 struct NET_EXPORT SignedCertificateTimestamp
99     : public base::RefCountedThreadSafe<SignedCertificateTimestamp> {
100   // Predicate functor used in maps when SignedCertificateTimestamp is used as
101   // the key.
102   struct NET_EXPORT LessThan {
103     bool operator()(const scoped_refptr<SignedCertificateTimestamp>& lhs,
104                     const scoped_refptr<SignedCertificateTimestamp>& rhs) const;
105   };
106 
107   // Version enum in RFC 6962, Section 3.2.
108   enum Version {
109     V1 = 0,
110   };
111 
112   // Source of the SCT - supplementary, not defined in CT RFC.
113   // Note: The numeric values are used within histograms and should not change
114   // or be re-assigned.
115   enum Origin {
116     SCT_EMBEDDED = 0,
117     SCT_FROM_TLS_EXTENSION = 1,
118     SCT_FROM_OCSP_RESPONSE = 2,
119     SCT_ORIGIN_MAX,
120   };
121 
122   SignedCertificateTimestamp();
123 
124   void Persist(base::Pickle* pickle);
125   static scoped_refptr<SignedCertificateTimestamp> CreateFromPickle(
126       base::PickleIterator* iter);
127 
128   Version version;
129   std::string log_id;
130   base::Time timestamp;
131   std::string extensions;
132   DigitallySigned signature;
133   Origin origin;
134   // The log description is not one of the SCT fields, but a user-readable
135   // name defined alongside the log key. It should not participate
136   // in equality checks as the log's description could change while
137   // the SCT would be the same.
138   std::string log_description;
139 
140  private:
141   friend class base::RefCountedThreadSafe<SignedCertificateTimestamp>;
142 
143   ~SignedCertificateTimestamp();
144 
145   DISALLOW_COPY_AND_ASSIGN(SignedCertificateTimestamp);
146 };
147 
148 using SCTList = std::vector<scoped_refptr<ct::SignedCertificateTimestamp>>;
149 
150 }  // namespace ct
151 
152 }  // namespace net
153 
154 #endif  // NET_CERT_SIGNED_CERTIFICATE_TIMESTAMP_H_
155