2016-04-11 16:17:25 +03:00
|
|
|
/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
|
|
|
|
/* vim: set ts=8 sts=2 et sw=2 tw=80: */
|
|
|
|
/* This Source Code Form is subject to the terms of the Mozilla Public
|
|
|
|
* License, v. 2.0. If a copy of the MPL was not distributed with this
|
|
|
|
* file, You can obtain one at http://mozilla.org/MPL/2.0/. */
|
|
|
|
|
|
|
|
#ifndef SignedCertificateTimestamp_h
|
|
|
|
#define SignedCertificateTimestamp_h
|
|
|
|
|
|
|
|
#include "mozilla/Vector.h"
|
|
|
|
#include "pkix/Input.h"
|
|
|
|
#include "pkix/Result.h"
|
|
|
|
|
|
|
|
// Structures related to Certificate Transparency (RFC 6962).
|
|
|
|
namespace mozilla { namespace ct {
|
|
|
|
|
|
|
|
typedef Vector<uint8_t> Buffer;
|
|
|
|
|
|
|
|
// LogEntry struct in RFC 6962, Section 3.1.
|
|
|
|
struct LogEntry
|
|
|
|
{
|
|
|
|
|
|
|
|
// LogEntryType enum in RFC 6962, Section 3.1.
|
|
|
|
enum class Type {
|
|
|
|
X509 = 0,
|
|
|
|
Precert = 1
|
|
|
|
};
|
|
|
|
|
|
|
|
void Reset();
|
|
|
|
|
|
|
|
Type type;
|
|
|
|
|
|
|
|
// Set if type == X509.
|
|
|
|
Buffer leafCertificate;
|
|
|
|
|
|
|
|
// Set if type == Precert.
|
|
|
|
Buffer issuerKeyHash;
|
|
|
|
Buffer tbsCertificate;
|
|
|
|
};
|
|
|
|
|
|
|
|
// Helper structure to represent Digitally Signed data, as described in
|
|
|
|
// Sections 4.7 and 7.4.1.4.1 of RFC 5246.
|
|
|
|
struct DigitallySigned
|
|
|
|
{
|
|
|
|
enum class HashAlgorithm {
|
|
|
|
None = 0,
|
|
|
|
MD5 = 1,
|
|
|
|
SHA1 = 2,
|
|
|
|
SHA224 = 3,
|
|
|
|
SHA256 = 4,
|
|
|
|
SHA384 = 5,
|
|
|
|
SHA512 = 6,
|
|
|
|
};
|
|
|
|
|
|
|
|
enum class SignatureAlgorithm {
|
|
|
|
Anonymous = 0,
|
|
|
|
RSA = 1,
|
|
|
|
DSA = 2,
|
|
|
|
ECDSA = 3
|
|
|
|
};
|
|
|
|
|
|
|
|
// Returns true if |aHashAlgorithm| and |aSignatureAlgorithm|
|
|
|
|
// match this DigitallySigned hash and signature algorithms.
|
|
|
|
bool SignatureParametersMatch(HashAlgorithm aHashAlgorithm,
|
|
|
|
SignatureAlgorithm aSignatureAlgorithm) const;
|
|
|
|
|
|
|
|
HashAlgorithm hashAlgorithm;
|
|
|
|
SignatureAlgorithm signatureAlgorithm;
|
|
|
|
// 'signature' field.
|
|
|
|
Buffer signatureData;
|
|
|
|
};
|
|
|
|
|
|
|
|
// SignedCertificateTimestamp struct in RFC 6962, Section 3.2.
|
|
|
|
struct SignedCertificateTimestamp
|
|
|
|
{
|
|
|
|
// Version enum in RFC 6962, Section 3.2.
|
|
|
|
enum class Version {
|
|
|
|
V1 = 0,
|
|
|
|
};
|
|
|
|
|
|
|
|
Version version;
|
|
|
|
Buffer logId;
|
2016-07-05 08:35:06 +03:00
|
|
|
// "timestamp" is the current time in milliseconds, measured since the epoch,
|
|
|
|
// ignoring leap seconds. See RFC 6962, Section 3.2.
|
2016-04-11 16:17:25 +03:00
|
|
|
uint64_t timestamp;
|
|
|
|
Buffer extensions;
|
|
|
|
DigitallySigned signature;
|
2016-08-11 13:41:50 +03:00
|
|
|
|
|
|
|
// Supplementary fields, not defined in CT RFC. Set during the various
|
|
|
|
// stages of processing the received SCTs.
|
|
|
|
|
|
|
|
enum class Origin {
|
|
|
|
Unknown,
|
|
|
|
Embedded,
|
|
|
|
TLSExtension,
|
|
|
|
OCSPResponse
|
|
|
|
};
|
|
|
|
|
|
|
|
enum class VerificationStatus {
|
|
|
|
None,
|
|
|
|
// The SCT is from a known log, and the signature is valid.
|
|
|
|
OK,
|
|
|
|
// The SCT is from an unknown log and can not be verified.
|
|
|
|
UnknownLog,
|
|
|
|
// The SCT is from a known log, but the signature is invalid.
|
|
|
|
InvalidSignature,
|
|
|
|
// The SCT signature is valid, but the timestamp is in the future.
|
|
|
|
// Such SCT are considered invalid (see RFC 6962, Section 5.2).
|
|
|
|
InvalidTimestamp
|
|
|
|
};
|
|
|
|
|
2016-04-11 16:17:25 +03:00
|
|
|
Origin origin;
|
2016-08-11 13:41:50 +03:00
|
|
|
VerificationStatus verificationStatus;
|
2016-04-11 16:17:25 +03:00
|
|
|
};
|
|
|
|
|
|
|
|
|
|
|
|
inline pkix::Result BufferToInput(const Buffer& buffer, pkix::Input& input)
|
|
|
|
{
|
|
|
|
return input.Init(buffer.begin(), buffer.length());
|
|
|
|
}
|
|
|
|
|
|
|
|
inline pkix::Result InputToBuffer(pkix::Input input, Buffer& buffer)
|
|
|
|
{
|
|
|
|
buffer.clear();
|
|
|
|
if (!buffer.append(input.UnsafeGetData(), input.GetLength())) {
|
|
|
|
return pkix::Result::FATAL_ERROR_NO_MEMORY;
|
|
|
|
}
|
|
|
|
return pkix::Success;
|
|
|
|
}
|
|
|
|
|
|
|
|
} } // namespace mozilla::ct
|
|
|
|
|
|
|
|
namespace mozilla {
|
|
|
|
|
|
|
|
// Comparison operators are placed under mozilla namespace since
|
|
|
|
// mozilla::ct::Buffer is actually mozilla::Vector.
|
|
|
|
bool operator==(const ct::Buffer& a, const ct::Buffer& b);
|
|
|
|
bool operator!=(const ct::Buffer& a, const ct::Buffer& b);
|
|
|
|
|
|
|
|
} // namespace mozilla
|
|
|
|
|
|
|
|
#endif // SignedCertificateTimestamp_h
|