summaryrefslogtreecommitdiffstats
path: root/security/certverifier/SignedCertificateTimestamp.h
diff options
context:
space:
mode:
Diffstat (limited to 'security/certverifier/SignedCertificateTimestamp.h')
-rw-r--r--security/certverifier/SignedCertificateTimestamp.h142
1 files changed, 142 insertions, 0 deletions
diff --git a/security/certverifier/SignedCertificateTimestamp.h b/security/certverifier/SignedCertificateTimestamp.h
new file mode 100644
index 000000000..25b324f6f
--- /dev/null
+++ b/security/certverifier/SignedCertificateTimestamp.h
@@ -0,0 +1,142 @@
+/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
+/* vim: set ts=8 sts=2 et sw=2 tw=80: */
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+#ifndef SignedCertificateTimestamp_h
+#define SignedCertificateTimestamp_h
+
+#include "mozilla/Vector.h"
+#include "pkix/Input.h"
+#include "pkix/Result.h"
+
+// Structures related to Certificate Transparency (RFC 6962).
+namespace mozilla { namespace ct {
+
+typedef Vector<uint8_t> Buffer;
+
+// LogEntry struct in RFC 6962, Section 3.1.
+struct LogEntry
+{
+
+ // LogEntryType enum in RFC 6962, Section 3.1.
+ enum class Type {
+ X509 = 0,
+ Precert = 1
+ };
+
+ void Reset();
+
+ Type type;
+
+ // Set if type == X509.
+ Buffer leafCertificate;
+
+ // Set if type == Precert.
+ Buffer issuerKeyHash;
+ Buffer tbsCertificate;
+};
+
+// Helper structure to represent Digitally Signed data, as described in
+// Sections 4.7 and 7.4.1.4.1 of RFC 5246.
+struct DigitallySigned
+{
+ enum class HashAlgorithm {
+ None = 0,
+ MD5 = 1,
+ SHA1 = 2,
+ SHA224 = 3,
+ SHA256 = 4,
+ SHA384 = 5,
+ SHA512 = 6,
+ };
+
+ enum class SignatureAlgorithm {
+ Anonymous = 0,
+ RSA = 1,
+ DSA = 2,
+ ECDSA = 3
+ };
+
+ // Returns true if |aHashAlgorithm| and |aSignatureAlgorithm|
+ // match this DigitallySigned hash and signature algorithms.
+ bool SignatureParametersMatch(HashAlgorithm aHashAlgorithm,
+ SignatureAlgorithm aSignatureAlgorithm) const;
+
+ HashAlgorithm hashAlgorithm;
+ SignatureAlgorithm signatureAlgorithm;
+ // 'signature' field.
+ Buffer signatureData;
+};
+
+// SignedCertificateTimestamp struct in RFC 6962, Section 3.2.
+struct SignedCertificateTimestamp
+{
+ // Version enum in RFC 6962, Section 3.2.
+ enum class Version {
+ V1 = 0,
+ };
+
+ Version version;
+ Buffer logId;
+ // "timestamp" is the current time in milliseconds, measured since the epoch,
+ // ignoring leap seconds. See RFC 6962, Section 3.2.
+ uint64_t timestamp;
+ Buffer extensions;
+ DigitallySigned signature;
+
+ // Supplementary fields, not defined in CT RFC. Set during the various
+ // stages of processing the received SCTs.
+
+ enum class Origin {
+ Unknown,
+ Embedded,
+ TLSExtension,
+ OCSPResponse
+ };
+
+ enum class VerificationStatus {
+ None,
+ // The SCT is from a known log, and the signature is valid.
+ OK,
+ // The SCT is from an unknown log and can not be verified.
+ UnknownLog,
+ // The SCT is from a known log, but the signature is invalid.
+ InvalidSignature,
+ // The SCT signature is valid, but the timestamp is in the future.
+ // Such SCT are considered invalid (see RFC 6962, Section 5.2).
+ InvalidTimestamp
+ };
+
+ Origin origin;
+ VerificationStatus verificationStatus;
+};
+
+
+inline pkix::Result BufferToInput(const Buffer& buffer, pkix::Input& input)
+{
+ return input.Init(buffer.begin(), buffer.length());
+}
+
+inline pkix::Result InputToBuffer(pkix::Input input, Buffer& buffer)
+{
+ buffer.clear();
+ if (!buffer.append(input.UnsafeGetData(), input.GetLength())) {
+ return pkix::Result::FATAL_ERROR_NO_MEMORY;
+ }
+ return pkix::Success;
+}
+
+} } // namespace mozilla::ct
+
+namespace mozilla {
+
+// Comparison operators are placed under mozilla namespace since
+// mozilla::ct::Buffer is actually mozilla::Vector.
+bool operator==(const ct::Buffer& a, const ct::Buffer& b);
+bool operator!=(const ct::Buffer& a, const ct::Buffer& b);
+
+} // namespace mozilla
+
+#endif // SignedCertificateTimestamp_h