naiveproxy/src/net/cert/signed_certificate_timestamp.h
2024-10-06 12:16:12 +08:00

152 lines
4.5 KiB
C++

// Copyright 2013 The Chromium Authors
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
#ifndef NET_CERT_SIGNED_CERTIFICATE_TIMESTAMP_H_
#define NET_CERT_SIGNED_CERTIFICATE_TIMESTAMP_H_
#include <string>
#include <vector>
#include "base/memory/ref_counted.h"
#include "base/time/time.h"
#include "net/base/hash_value.h"
#include "net/base/net_export.h"
namespace base {
class Pickle;
class PickleIterator;
}
// Structures related to Certificate Transparency (RFC6962).
namespace net::ct {
// Contains the data necessary to reconstruct the signed_entry of a
// SignedCertificateTimestamp, from RFC 6962, Section 3.2.
//
// All the data necessary to validate a SignedCertificateTimestamp is present
// within the SignedCertificateTimestamp, except for the signature_type,
// entry_type, and the actual entry. The only supported signature_type at
// present is certificate_timestamp. The entry_type is implicit from the
// context in which it is received (those in the X.509 extension are
// precert_entry, all others are x509_entry). The signed_entry itself is
// reconstructed from the certificate being verified, or from the corresponding
// precertificate.
//
// The SignedEntryData contains this reconstructed data, and can be used to
// either generate or verify the signature in SCTs.
struct NET_EXPORT SignedEntryData {
// LogEntryType enum in RFC 6962, Section 3.1
enum Type {
LOG_ENTRY_TYPE_X509 = 0,
LOG_ENTRY_TYPE_PRECERT = 1
};
SignedEntryData();
~SignedEntryData();
void Reset();
Type type = LOG_ENTRY_TYPE_X509;
// Set if type == LOG_ENTRY_TYPE_X509
std::string leaf_certificate;
// Set if type == LOG_ENTRY_TYPE_PRECERT
SHA256HashValue issuer_key_hash;
std::string tbs_certificate;
};
// Helper structure to represent Digitally Signed data, as described in
// Sections 4.7 and 7.4.1.4.1 of RFC 5246.
struct NET_EXPORT DigitallySigned {
enum HashAlgorithm {
HASH_ALGO_NONE = 0,
HASH_ALGO_MD5 = 1,
HASH_ALGO_SHA1 = 2,
HASH_ALGO_SHA224 = 3,
HASH_ALGO_SHA256 = 4,
HASH_ALGO_SHA384 = 5,
HASH_ALGO_SHA512 = 6,
};
enum SignatureAlgorithm {
SIG_ALGO_ANONYMOUS = 0,
SIG_ALGO_RSA = 1,
SIG_ALGO_DSA = 2,
SIG_ALGO_ECDSA = 3
};
DigitallySigned();
~DigitallySigned();
// Returns true if |other_hash_algorithm| and |other_signature_algorithm|
// match this DigitallySigned hash and signature algorithms.
bool SignatureParametersMatch(
HashAlgorithm other_hash_algorithm,
SignatureAlgorithm other_signature_algorithm) const;
HashAlgorithm hash_algorithm = HASH_ALGO_NONE;
SignatureAlgorithm signature_algorithm = SIG_ALGO_ANONYMOUS;
// 'signature' field.
std::string signature_data;
};
// SignedCertificateTimestamp struct in RFC 6962, Section 3.2.
struct NET_EXPORT SignedCertificateTimestamp
: public base::RefCountedThreadSafe<SignedCertificateTimestamp> {
// Predicate functor used in maps when SignedCertificateTimestamp is used as
// the key.
struct NET_EXPORT LessThan {
bool operator()(const scoped_refptr<SignedCertificateTimestamp>& lhs,
const scoped_refptr<SignedCertificateTimestamp>& rhs) const;
};
// Version enum in RFC 6962, Section 3.2.
enum Version {
V1 = 0,
};
// Source of the SCT - supplementary, not defined in CT RFC.
// Note: The numeric values are used within histograms and should not change
// or be re-assigned.
enum Origin {
SCT_EMBEDDED = 0,
SCT_FROM_TLS_EXTENSION = 1,
SCT_FROM_OCSP_RESPONSE = 2,
SCT_ORIGIN_MAX,
};
SignedCertificateTimestamp();
SignedCertificateTimestamp(const SignedCertificateTimestamp&) = delete;
SignedCertificateTimestamp& operator=(const SignedCertificateTimestamp&) =
delete;
void Persist(base::Pickle* pickle);
static scoped_refptr<SignedCertificateTimestamp> CreateFromPickle(
base::PickleIterator* iter);
Version version = V1;
std::string log_id;
base::Time timestamp;
std::string extensions;
DigitallySigned signature;
Origin origin = SCT_EMBEDDED;
// The log description is not one of the SCT fields, but a user-readable
// name defined alongside the log key. It should not participate
// in equality checks as the log's description could change while
// the SCT would be the same.
std::string log_description;
private:
friend class base::RefCountedThreadSafe<SignedCertificateTimestamp>;
~SignedCertificateTimestamp();
};
using SCTList = std::vector<scoped_refptr<ct::SignedCertificateTimestamp>>;
} // namespace net::ct
#endif // NET_CERT_SIGNED_CERTIFICATE_TIMESTAMP_H_