コード例 #1
0
Result
MultiLogCTVerifier::VerifySingleSCT(SignedCertificateTimestamp&& sct,
                                    const LogEntry& expectedEntry,
                                    Time time,
                                    CTVerifyResult& result)
{
  CTLogVerifier* matchingLog = nullptr;
  for (auto& log : mLogs) {
    if (log.keyId() == sct.logId) {
      matchingLog = &log;
      break;
    }
  }

  if (!matchingLog) {
    // SCT does not match any known log.
    return StoreVerifiedSct(result, Move(sct),
      SignedCertificateTimestamp::VerificationStatus::UnknownLog);
  }

  if (!matchingLog->SignatureParametersMatch(sct.signature)) {
    // SCT signature parameters do not match the log's.
    return StoreVerifiedSct(result, Move(sct),
      SignedCertificateTimestamp::VerificationStatus::InvalidSignature);
  }

  Result rv = matchingLog->Verify(expectedEntry, sct);
  if (rv != Success) {
    if (rv == Result::ERROR_BAD_SIGNATURE) {
      return StoreVerifiedSct(result, Move(sct),
        SignedCertificateTimestamp::VerificationStatus::InvalidSignature);
    }
    return rv;
  }

  // |sct.timestamp| is measured in milliseconds since the epoch,
  // ignoring leap seconds. When converting it to a second-level precision
  // pkix::Time, we need to round it either up or down. In our case, rounding up
  // is more "secure", although practically it does not matter.
  Time sctTime = TimeFromEpochInSeconds((sct.timestamp + 999u) / 1000u);

  // SCT verified ok, just make sure the timestamp is legitimate.
  if (sctTime > time) {
    return StoreVerifiedSct(result, Move(sct),
      SignedCertificateTimestamp::VerificationStatus::InvalidTimestamp);
  }

  return StoreVerifiedSct(result, Move(sct),
    SignedCertificateTimestamp::VerificationStatus::OK);
}
コード例 #2
0
Result
MultiLogCTVerifier::VerifySingleSCT(SignedCertificateTimestamp&& sct,
                                    const LogEntry& expectedEntry,
                                    uint64_t time,
                                    CTVerifyResult& result)
{
  CTLogVerifier* matchingLog = nullptr;
  for (auto& log : mLogs) {
    if (log.keyId() == sct.logId) {
      matchingLog = &log;
      break;
    }
  }

  if (!matchingLog) {
    // SCT does not match any known log.
    return StoreVerifiedSct(result, Move(sct), SCTVerifyStatus::UnknownLog);
  }

  if (!matchingLog->SignatureParametersMatch(sct.signature)) {
    // SCT signature parameters do not match the log's.
    return StoreVerifiedSct(result, Move(sct), SCTVerifyStatus::Invalid);
  }

  Result rv = matchingLog->Verify(expectedEntry, sct);
  if (rv != Success) {
    if (rv == Result::ERROR_BAD_SIGNATURE) {
      return StoreVerifiedSct(result, Move(sct), SCTVerifyStatus::Invalid);
    }
    return rv;
  }

  // SCT verified ok, just make sure the timestamp is legitimate.
  if (sct.timestamp > time) {
    return StoreVerifiedSct(result, Move(sct), SCTVerifyStatus::Invalid);
  }

  return StoreVerifiedSct(result, Move(sct), SCTVerifyStatus::OK);
}