mirror of
https://github.com/klzgrad/naiveproxy.git
synced 2024-11-28 08:16:09 +03:00
122 lines
4.2 KiB
C
122 lines
4.2 KiB
C
|
// Copyright 2015 The Chromium Authors. All rights reserved.
|
||
|
// Use of this source code is governed by a BSD-style license that can be
|
||
|
// found in the LICENSE file.
|
||
|
|
||
|
#ifndef NET_SSL_TOKEN_BINDING_H_
|
||
|
#define NET_SSL_TOKEN_BINDING_H_
|
||
|
|
||
|
#include <string>
|
||
|
#include <vector>
|
||
|
|
||
|
#include "base/strings/string_piece.h"
|
||
|
#include "net/base/net_errors.h"
|
||
|
#include "net/base/net_export.h"
|
||
|
|
||
|
namespace crypto {
|
||
|
class ECPrivateKey;
|
||
|
}
|
||
|
|
||
|
namespace net {
|
||
|
|
||
|
enum class TokenBindingType {
|
||
|
PROVIDED = 0,
|
||
|
REFERRED = 1,
|
||
|
};
|
||
|
|
||
|
// Takes an exported keying material value |ekm| from the TLS layer, the type of
|
||
|
// Token Binding |type|, and a token binding key |key| and concatenates the
|
||
|
// Token Binding type, key type, and ekm. This concatenation is signed with
|
||
|
// |key| in accordance with section 3.3 of draft-ietf-tokbind-protocol-10, with
|
||
|
// the signature written to |*out|. Returns true on success or false if there's
|
||
|
// an error in the signing operations.
|
||
|
bool CreateTokenBindingSignature(base::StringPiece ekm,
|
||
|
TokenBindingType type,
|
||
|
crypto::ECPrivateKey* key,
|
||
|
std::vector<uint8_t>* out);
|
||
|
|
||
|
// Given a vector of serialized TokenBinding structs (as defined in
|
||
|
// draft-ietf-tokbind-protocol-04), this function combines them to form the
|
||
|
// serialized TokenBindingMessage struct in |*out|. This function returns a net
|
||
|
// error.
|
||
|
//
|
||
|
// struct {
|
||
|
// TokenBinding tokenbindings<0..2^16-1>;
|
||
|
// } TokenBindingMessage;
|
||
|
Error BuildTokenBindingMessageFromTokenBindings(
|
||
|
const std::vector<base::StringPiece>& token_bindings,
|
||
|
std::string* out);
|
||
|
|
||
|
// Builds a TokenBinding struct of type |type| with a TokenBindingID created
|
||
|
// from |*key| and a signature of |ekm| using |*key| to sign.
|
||
|
//
|
||
|
// enum {
|
||
|
// rsa2048_pkcs1.5(0), rsa2048_pss(1), ecdsap256(2), (255)
|
||
|
// } TokenBindingKeyParameters;
|
||
|
//
|
||
|
// struct {
|
||
|
// opaque modulus<1..2^16-1>;
|
||
|
// opaque publicexponent<1..2^8-1>;
|
||
|
// } RSAPublicKey;
|
||
|
//
|
||
|
// struct {
|
||
|
// opaque point <1..2^8-1>;
|
||
|
// } ECPoint;
|
||
|
//
|
||
|
// enum {
|
||
|
// provided_token_binding(0), referred_token_binding(1), (255)
|
||
|
// } TokenBindingType;
|
||
|
//
|
||
|
// struct {
|
||
|
// TokenBindingType tokenbinding_type;
|
||
|
// TokenBindingKeyParameters key_parameters;
|
||
|
// select (key_parameters) {
|
||
|
// case rsa2048_pkcs1.5:
|
||
|
// case rsa2048_pss:
|
||
|
// RSAPublicKey rsapubkey;
|
||
|
// case ecdsap256:
|
||
|
// ECPoint point;
|
||
|
// }
|
||
|
// } TokenBindingID;
|
||
|
//
|
||
|
// struct {
|
||
|
// TokenBindingID tokenbindingid;
|
||
|
// opaque signature<0..2^16-1>;// Signature over the exported keying
|
||
|
// // material value
|
||
|
// Extension extensions<0..2^16-1>;
|
||
|
// } TokenBinding;
|
||
|
Error BuildTokenBinding(TokenBindingType type,
|
||
|
crypto::ECPrivateKey* key,
|
||
|
const std::vector<uint8_t>& ekm,
|
||
|
std::string* out);
|
||
|
|
||
|
// Represents a parsed TokenBinding from a TokenBindingMessage.
|
||
|
struct TokenBinding {
|
||
|
TokenBinding();
|
||
|
|
||
|
TokenBindingType type;
|
||
|
std::string ec_point;
|
||
|
std::string signature;
|
||
|
};
|
||
|
|
||
|
// Given a TokenBindingMessage, parses the TokenBinding structs from it, putting
|
||
|
// them into |*token_bindings|. If there is an error parsing the
|
||
|
// TokenBindingMessage or the key parameter for any TokenBinding in the
|
||
|
// TokenBindingMessage is not ecdsap256, then this function returns false.
|
||
|
NET_EXPORT_PRIVATE bool ParseTokenBindingMessage(
|
||
|
base::StringPiece token_binding_message,
|
||
|
std::vector<TokenBinding>* token_bindings);
|
||
|
|
||
|
// Takes an ECPoint |ec_point| from a TokenBindingID, |signature| from a
|
||
|
// TokenBinding, and a Token Binding type |type| and verifies that |signature|
|
||
|
// is the signature of |ekm| using |ec_point| as the public key. Returns true if
|
||
|
// the signature verifies and false if it doesn't or some other error occurs in
|
||
|
// verification. This function is only provided for testing.
|
||
|
NET_EXPORT_PRIVATE bool VerifyTokenBindingSignature(base::StringPiece ec_point,
|
||
|
base::StringPiece signature,
|
||
|
TokenBindingType type,
|
||
|
base::StringPiece ekm);
|
||
|
|
||
|
} // namespace net
|
||
|
|
||
|
#endif // NET_SSL_TOKEN_BINDING_H_
|