xref: /aosp_15_r20/external/cronet/net/cert/signed_certificate_timestamp.h (revision 6777b5387eb2ff775bb5750e3f5d96f37fb7352b) 
1 // Copyright 2013 The Chromium Authors
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
4 
5 #ifndef NET_CERT_SIGNED_CERTIFICATE_TIMESTAMP_H_
6 #define NET_CERT_SIGNED_CERTIFICATE_TIMESTAMP_H_
7 
8 #include <string>
9 #include <vector>
10 
11 #include "base/memory/ref_counted.h"
12 #include "base/time/time.h"
13 #include "net/base/hash_value.h"
14 #include "net/base/net_export.h"
15 
16 namespace base {
17 class Pickle;
18 class PickleIterator;
19 }
20 
21 // Structures related to Certificate Transparency (RFC6962).
22 namespace net::ct {
23 
24 // Contains the data necessary to reconstruct the signed_entry of a
25 // SignedCertificateTimestamp, from RFC 6962, Section 3.2.
26 //
27 // All the data necessary to validate a SignedCertificateTimestamp is present
28 // within the SignedCertificateTimestamp, except for the signature_type,
29 // entry_type, and the actual entry. The only supported signature_type at
30 // present is certificate_timestamp.  The entry_type is implicit from the
31 // context in which it is received (those in the X.509 extension are
32 // precert_entry, all others are x509_entry). The signed_entry itself is
33 // reconstructed from the certificate being verified, or from the corresponding
34 // precertificate.
35 //
36 // The SignedEntryData contains this reconstructed data, and can be used to
37 // either generate or verify the signature in SCTs.
38 struct NET_EXPORT SignedEntryData {
39   // LogEntryType enum in RFC 6962, Section 3.1
40   enum Type {
41     LOG_ENTRY_TYPE_X509 = 0,
42     LOG_ENTRY_TYPE_PRECERT = 1
43   };
44 
45   SignedEntryData();
46   ~SignedEntryData();
47   void Reset();
48 
49   Type type = LOG_ENTRY_TYPE_X509;
50 
51   // Set if type == LOG_ENTRY_TYPE_X509
52   std::string leaf_certificate;
53 
54   // Set if type == LOG_ENTRY_TYPE_PRECERT
55   SHA256HashValue issuer_key_hash;
56   std::string tbs_certificate;
57 };
58 
59 // Helper structure to represent Digitally Signed data, as described in
60 // Sections 4.7 and 7.4.1.4.1 of RFC 5246.
61 struct NET_EXPORT DigitallySigned {
62   enum HashAlgorithm {
63     HASH_ALGO_NONE = 0,
64     HASH_ALGO_MD5 = 1,
65     HASH_ALGO_SHA1 = 2,
66     HASH_ALGO_SHA224 = 3,
67     HASH_ALGO_SHA256 = 4,
68     HASH_ALGO_SHA384 = 5,
69     HASH_ALGO_SHA512 = 6,
70   };
71 
72   enum SignatureAlgorithm {
73     SIG_ALGO_ANONYMOUS = 0,
74     SIG_ALGO_RSA = 1,
75     SIG_ALGO_DSA = 2,
76     SIG_ALGO_ECDSA = 3
77   };
78 
79   DigitallySigned();
80   ~DigitallySigned();
81 
82   // Returns true if |other_hash_algorithm| and |other_signature_algorithm|
83   // match this DigitallySigned hash and signature algorithms.
84   bool SignatureParametersMatch(
85       HashAlgorithm other_hash_algorithm,
86       SignatureAlgorithm other_signature_algorithm) const;
87 
88   HashAlgorithm hash_algorithm = HASH_ALGO_NONE;
89   SignatureAlgorithm signature_algorithm = SIG_ALGO_ANONYMOUS;
90   // 'signature' field.
91   std::string signature_data;
92 };
93 
94 // SignedCertificateTimestamp struct in RFC 6962, Section 3.2.
95 struct NET_EXPORT SignedCertificateTimestamp
96     : public base::RefCountedThreadSafe<SignedCertificateTimestamp> {
97   // Predicate functor used in maps when SignedCertificateTimestamp is used as
98   // the key.
99   struct NET_EXPORT LessThan {
100     bool operator()(const scoped_refptr<SignedCertificateTimestamp>& lhs,
101                     const scoped_refptr<SignedCertificateTimestamp>& rhs) const;
102   };
103 
104   // Version enum in RFC 6962, Section 3.2.
105   enum Version {
106     V1 = 0,
107   };
108 
109   // Source of the SCT - supplementary, not defined in CT RFC.
110   // Note: The numeric values are used within histograms and should not change
111   // or be re-assigned.
112   enum Origin {
113     SCT_EMBEDDED = 0,
114     SCT_FROM_TLS_EXTENSION = 1,
115     SCT_FROM_OCSP_RESPONSE = 2,
116     SCT_ORIGIN_MAX,
117   };
118 
119   SignedCertificateTimestamp();
120 
121   SignedCertificateTimestamp(const SignedCertificateTimestamp&) = delete;
122   SignedCertificateTimestamp& operator=(const SignedCertificateTimestamp&) =
123       delete;
124 
125   void Persist(base::Pickle* pickle);
126   static scoped_refptr<SignedCertificateTimestamp> CreateFromPickle(
127       base::PickleIterator* iter);
128 
129   Version version = V1;
130   std::string log_id;
131   base::Time timestamp;
132   std::string extensions;
133   DigitallySigned signature;
134   Origin origin = SCT_EMBEDDED;
135   // The log description is not one of the SCT fields, but a user-readable
136   // name defined alongside the log key. It should not participate
137   // in equality checks as the log's description could change while
138   // the SCT would be the same.
139   std::string log_description;
140 
141  private:
142   friend class base::RefCountedThreadSafe<SignedCertificateTimestamp>;
143 
144   ~SignedCertificateTimestamp();
145 };
146 
147 using SCTList = std::vector<scoped_refptr<ct::SignedCertificateTimestamp>>;
148 
149 }  // namespace net::ct
150 
151 #endif  // NET_CERT_SIGNED_CERTIFICATE_TIMESTAMP_H_
152