1// Copyright 2013 The Chromium Authors. All rights reserved.
2// Use of this source code is governed by a BSD-style license that can be
3// found in the LICENSE file.
4
5#ifndef NET_CERT_SIGNED_CERTIFICATE_TIMESTAMP_H_
6#define NET_CERT_SIGNED_CERTIFICATE_TIMESTAMP_H_
7
8#include <string>
9#include <vector>
10
11#include "base/macros.h"
12#include "base/memory/ref_counted.h"
13#include "base/time/time.h"
14#include "net/base/hash_value.h"
15#include "net/base/net_export.h"
16
17namespace base {
18class Pickle;
19class PickleIterator;
20}
21
22namespace net {
23
24// Structures related to Certificate Transparency (RFC6962).
25namespace ct {
26
27// Contains the data necessary to reconstruct the signed_entry of a
28// SignedCertificateTimestamp, from RFC 6962, Section 3.2.
29//
30// All the data necessary to validate a SignedCertificateTimestamp is present
31// within the SignedCertificateTimestamp, except for the signature_type,
32// entry_type, and the actual entry. The only supported signature_type at
33// present is certificate_timestamp. The entry_type is implicit from the
34// context in which it is received (those in the X.509 extension are
35// precert_entry, all others are x509_entry). The signed_entry itself is
36// reconstructed from the certificate being verified, or from the corresponding
37// precertificate.
38//
39// The SignedEntryData contains this reconstructed data, and can be used to
40// either generate or verify the signature in SCTs.
41struct NET_EXPORT SignedEntryData {
42 // LogEntryType enum in RFC 6962, Section 3.1
43 enum Type {
44 LOG_ENTRY_TYPE_X509 = 0,
45 LOG_ENTRY_TYPE_PRECERT = 1
46 };
47
48 SignedEntryData();
49 ~SignedEntryData();
50 void Reset();
51
52 Type type;
53
54 // Set if type == LOG_ENTRY_TYPE_X509
55 std::string leaf_certificate;
56
57 // Set if type == LOG_ENTRY_TYPE_PRECERT
58 SHA256HashValue issuer_key_hash;
59 std::string tbs_certificate;
60};
61
62// Helper structure to represent Digitally Signed data, as described in
63// Sections 4.7 and 7.4.1.4.1 of RFC 5246.
64struct NET_EXPORT DigitallySigned {
65 enum HashAlgorithm {
66 HASH_ALGO_NONE = 0,
67 HASH_ALGO_MD5 = 1,
68 HASH_ALGO_SHA1 = 2,
69 HASH_ALGO_SHA224 = 3,
70 HASH_ALGO_SHA256 = 4,
71 HASH_ALGO_SHA384 = 5,
72 HASH_ALGO_SHA512 = 6,
73 };
74
75 enum SignatureAlgorithm {
76 SIG_ALGO_ANONYMOUS = 0,
77 SIG_ALGO_RSA = 1,
78 SIG_ALGO_DSA = 2,
79 SIG_ALGO_ECDSA = 3
80 };
81
82 DigitallySigned();
83 ~DigitallySigned();
84
85 // Returns true if |other_hash_algorithm| and |other_signature_algorithm|
86 // match this DigitallySigned hash and signature algorithms.
87 bool SignatureParametersMatch(
88 HashAlgorithm other_hash_algorithm,
89 SignatureAlgorithm other_signature_algorithm) const;
90
91 HashAlgorithm hash_algorithm;
92 SignatureAlgorithm signature_algorithm;
93 // 'signature' field.
94 std::string signature_data;
95};
96
97// SignedCertificateTimestamp struct in RFC 6962, Section 3.2.
98struct NET_EXPORT SignedCertificateTimestamp
99 : public base::RefCountedThreadSafe<SignedCertificateTimestamp> {
100 // Predicate functor used in maps when SignedCertificateTimestamp is used as
101 // the key.
102 struct NET_EXPORT LessThan {
103 bool operator()(const scoped_refptr<SignedCertificateTimestamp>& lhs,
104 const scoped_refptr<SignedCertificateTimestamp>& rhs) const;
105 };
106
107 // Version enum in RFC 6962, Section 3.2.
108 enum Version {
109 V1 = 0,
110 };
111
112 // Source of the SCT - supplementary, not defined in CT RFC.
113 // Note: The numeric values are used within histograms and should not change
114 // or be re-assigned.
115 enum Origin {
116 SCT_EMBEDDED = 0,
117 SCT_FROM_TLS_EXTENSION = 1,
118 SCT_FROM_OCSP_RESPONSE = 2,
119 SCT_ORIGIN_MAX,
120 };
121
122 SignedCertificateTimestamp();
123
124 void Persist(base::Pickle* pickle);
125 static scoped_refptr<SignedCertificateTimestamp> CreateFromPickle(
126 base::PickleIterator* iter);
127
128 Version version;
129 std::string log_id;
130 base::Time timestamp;
131 std::string extensions;
132 DigitallySigned signature;
133 Origin origin;
134 // The log description is not one of the SCT fields, but a user-readable
135 // name defined alongside the log key. It should not participate
136 // in equality checks as the log's description could change while
137 // the SCT would be the same.
138 std::string log_description;
139
140 private:
141 friend class base::RefCountedThreadSafe<SignedCertificateTimestamp>;
142
143 ~SignedCertificateTimestamp();
144
145 DISALLOW_COPY_AND_ASSIGN(SignedCertificateTimestamp);
146};
147
148using SCTList = std::vector<scoped_refptr<ct::SignedCertificateTimestamp>>;
149
150} // namespace ct
151
152} // namespace net
153
154#endif // NET_CERT_SIGNED_CERTIFICATE_TIMESTAMP_H_
155