mirror of
https://github.com/klzgrad/naiveproxy.git
synced 2024-12-05 03:36:08 +03:00
152 lines
4.5 KiB
C++
152 lines
4.5 KiB
C++
// Copyright 2013 The Chromium Authors
|
|
// Use of this source code is governed by a BSD-style license that can be
|
|
// found in the LICENSE file.
|
|
|
|
#ifndef NET_CERT_SIGNED_CERTIFICATE_TIMESTAMP_H_
|
|
#define NET_CERT_SIGNED_CERTIFICATE_TIMESTAMP_H_
|
|
|
|
#include <string>
|
|
#include <vector>
|
|
|
|
#include "base/memory/ref_counted.h"
|
|
#include "base/time/time.h"
|
|
#include "net/base/hash_value.h"
|
|
#include "net/base/net_export.h"
|
|
|
|
namespace base {
|
|
class Pickle;
|
|
class PickleIterator;
|
|
}
|
|
|
|
// Structures related to Certificate Transparency (RFC6962).
|
|
namespace net::ct {
|
|
|
|
// Contains the data necessary to reconstruct the signed_entry of a
|
|
// SignedCertificateTimestamp, from RFC 6962, Section 3.2.
|
|
//
|
|
// All the data necessary to validate a SignedCertificateTimestamp is present
|
|
// within the SignedCertificateTimestamp, except for the signature_type,
|
|
// entry_type, and the actual entry. The only supported signature_type at
|
|
// present is certificate_timestamp. The entry_type is implicit from the
|
|
// context in which it is received (those in the X.509 extension are
|
|
// precert_entry, all others are x509_entry). The signed_entry itself is
|
|
// reconstructed from the certificate being verified, or from the corresponding
|
|
// precertificate.
|
|
//
|
|
// The SignedEntryData contains this reconstructed data, and can be used to
|
|
// either generate or verify the signature in SCTs.
|
|
struct NET_EXPORT SignedEntryData {
|
|
// LogEntryType enum in RFC 6962, Section 3.1
|
|
enum Type {
|
|
LOG_ENTRY_TYPE_X509 = 0,
|
|
LOG_ENTRY_TYPE_PRECERT = 1
|
|
};
|
|
|
|
SignedEntryData();
|
|
~SignedEntryData();
|
|
void Reset();
|
|
|
|
Type type = LOG_ENTRY_TYPE_X509;
|
|
|
|
// Set if type == LOG_ENTRY_TYPE_X509
|
|
std::string leaf_certificate;
|
|
|
|
// Set if type == LOG_ENTRY_TYPE_PRECERT
|
|
SHA256HashValue issuer_key_hash;
|
|
std::string tbs_certificate;
|
|
};
|
|
|
|
// Helper structure to represent Digitally Signed data, as described in
|
|
// Sections 4.7 and 7.4.1.4.1 of RFC 5246.
|
|
struct NET_EXPORT DigitallySigned {
|
|
enum HashAlgorithm {
|
|
HASH_ALGO_NONE = 0,
|
|
HASH_ALGO_MD5 = 1,
|
|
HASH_ALGO_SHA1 = 2,
|
|
HASH_ALGO_SHA224 = 3,
|
|
HASH_ALGO_SHA256 = 4,
|
|
HASH_ALGO_SHA384 = 5,
|
|
HASH_ALGO_SHA512 = 6,
|
|
};
|
|
|
|
enum SignatureAlgorithm {
|
|
SIG_ALGO_ANONYMOUS = 0,
|
|
SIG_ALGO_RSA = 1,
|
|
SIG_ALGO_DSA = 2,
|
|
SIG_ALGO_ECDSA = 3
|
|
};
|
|
|
|
DigitallySigned();
|
|
~DigitallySigned();
|
|
|
|
// Returns true if |other_hash_algorithm| and |other_signature_algorithm|
|
|
// match this DigitallySigned hash and signature algorithms.
|
|
bool SignatureParametersMatch(
|
|
HashAlgorithm other_hash_algorithm,
|
|
SignatureAlgorithm other_signature_algorithm) const;
|
|
|
|
HashAlgorithm hash_algorithm = HASH_ALGO_NONE;
|
|
SignatureAlgorithm signature_algorithm = SIG_ALGO_ANONYMOUS;
|
|
// 'signature' field.
|
|
std::string signature_data;
|
|
};
|
|
|
|
// SignedCertificateTimestamp struct in RFC 6962, Section 3.2.
|
|
struct NET_EXPORT SignedCertificateTimestamp
|
|
: public base::RefCountedThreadSafe<SignedCertificateTimestamp> {
|
|
// Predicate functor used in maps when SignedCertificateTimestamp is used as
|
|
// the key.
|
|
struct NET_EXPORT LessThan {
|
|
bool operator()(const scoped_refptr<SignedCertificateTimestamp>& lhs,
|
|
const scoped_refptr<SignedCertificateTimestamp>& rhs) const;
|
|
};
|
|
|
|
// Version enum in RFC 6962, Section 3.2.
|
|
enum Version {
|
|
V1 = 0,
|
|
};
|
|
|
|
// Source of the SCT - supplementary, not defined in CT RFC.
|
|
// Note: The numeric values are used within histograms and should not change
|
|
// or be re-assigned.
|
|
enum Origin {
|
|
SCT_EMBEDDED = 0,
|
|
SCT_FROM_TLS_EXTENSION = 1,
|
|
SCT_FROM_OCSP_RESPONSE = 2,
|
|
SCT_ORIGIN_MAX,
|
|
};
|
|
|
|
SignedCertificateTimestamp();
|
|
|
|
SignedCertificateTimestamp(const SignedCertificateTimestamp&) = delete;
|
|
SignedCertificateTimestamp& operator=(const SignedCertificateTimestamp&) =
|
|
delete;
|
|
|
|
void Persist(base::Pickle* pickle);
|
|
static scoped_refptr<SignedCertificateTimestamp> CreateFromPickle(
|
|
base::PickleIterator* iter);
|
|
|
|
Version version = V1;
|
|
std::string log_id;
|
|
base::Time timestamp;
|
|
std::string extensions;
|
|
DigitallySigned signature;
|
|
Origin origin = SCT_EMBEDDED;
|
|
// The log description is not one of the SCT fields, but a user-readable
|
|
// name defined alongside the log key. It should not participate
|
|
// in equality checks as the log's description could change while
|
|
// the SCT would be the same.
|
|
std::string log_description;
|
|
|
|
private:
|
|
friend class base::RefCountedThreadSafe<SignedCertificateTimestamp>;
|
|
|
|
~SignedCertificateTimestamp();
|
|
};
|
|
|
|
using SCTList = std::vector<scoped_refptr<ct::SignedCertificateTimestamp>>;
|
|
|
|
} // namespace net::ct
|
|
|
|
#endif // NET_CERT_SIGNED_CERTIFICATE_TIMESTAMP_H_
|