1 files changed, 142 insertions, 0 deletions
diff --git a/security/certverifier/SignedCertificateTimestamp.h b/security/certverifier/SignedCertificateTimestamp.h
new file mode 100644
index 0000000000..25b324f6f4
--- /dev/null
+++ b/security/certverifier/SignedCertificateTimestamp.h
@@ -0,0 +1,142 @@
+/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
+/* vim: set ts=8 sts=2 et sw=2 tw=80: */
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+#ifndef SignedCertificateTimestamp_h
+#define SignedCertificateTimestamp_h
+
+#include "mozilla/Vector.h"
+#include "pkix/Input.h"
+#include "pkix/Result.h"
+
+// Structures related to Certificate Transparency (RFC 6962).
+namespace mozilla { namespace ct {
+
+typedef Vector<uint8_t> Buffer;
+
+// LogEntry struct in RFC 6962, Section 3.1.
+struct LogEntry
+{
+
+  // LogEntryType enum in RFC 6962, Section 3.1.
+  enum class Type {
+    X509 = 0,
+    Precert = 1
+  };
+
+  void Reset();
+
+  Type type;
+
+  // Set if type == X509.
+  Buffer leafCertificate;
+
+  // Set if type == Precert.
+  Buffer issuerKeyHash;
+  Buffer tbsCertificate;
+};
+
+// Helper structure to represent Digitally Signed data, as described in
+// Sections 4.7 and 7.4.1.4.1 of RFC 5246.
+struct DigitallySigned
+{
+  enum class HashAlgorithm {
+    None = 0,
+    MD5 = 1,
+    SHA1 = 2,
+    SHA224 = 3,
+    SHA256 = 4,
+    SHA384 = 5,
+    SHA512 = 6,
+  };
+
+  enum class SignatureAlgorithm {
+    Anonymous = 0,
+    RSA = 1,
+    DSA = 2,
+    ECDSA = 3
+  };
+
+  // Returns true if |aHashAlgorithm| and |aSignatureAlgorithm|
+  // match this DigitallySigned hash and signature algorithms.
+  bool SignatureParametersMatch(HashAlgorithm aHashAlgorithm,
+                                SignatureAlgorithm aSignatureAlgorithm) const;
+
+  HashAlgorithm hashAlgorithm;
+  SignatureAlgorithm signatureAlgorithm;
+  // 'signature' field.
+  Buffer signatureData;
+};
+
+// SignedCertificateTimestamp struct in RFC 6962, Section 3.2.
+struct SignedCertificateTimestamp
+{
+  // Version enum in RFC 6962, Section 3.2.
+  enum class Version {
+    V1 = 0,
+  };
+
+  Version version;
+  Buffer logId;
+  // "timestamp" is the current time in milliseconds, measured since the epoch,
+  // ignoring leap seconds. See RFC 6962, Section 3.2.
+  uint64_t timestamp;
+  Buffer extensions;
+  DigitallySigned signature;
+
+  // Supplementary fields, not defined in CT RFC. Set during the various
+  // stages of processing the received SCTs.
+
+  enum class Origin {
+    Unknown,
+    Embedded,
+    TLSExtension,
+    OCSPResponse
+  };
+
+  enum class VerificationStatus {
+    None,
+    // The SCT is from a known log, and the signature is valid.
+    OK,
+    // The SCT is from an unknown log and can not be verified.
+    UnknownLog,
+    // The SCT is from a known log, but the signature is invalid.
+    InvalidSignature,
+    // The SCT signature is valid, but the timestamp is in the future.
+    // Such SCT are considered invalid (see RFC 6962, Section 5.2).
+    InvalidTimestamp
+  };
+
+  Origin origin;
+  VerificationStatus verificationStatus;
+};
+
+
+inline pkix::Result BufferToInput(const Buffer& buffer, pkix::Input& input)
+{
+  return input.Init(buffer.begin(), buffer.length());
+}
+
+inline pkix::Result InputToBuffer(pkix::Input input, Buffer& buffer)
+{
+  buffer.clear();
+  if (!buffer.append(input.UnsafeGetData(), input.GetLength())) {
+    return pkix::Result::FATAL_ERROR_NO_MEMORY;
+  }
+  return pkix::Success;
+}
+
+} } // namespace mozilla::ct
+
+namespace mozilla {
+
+// Comparison operators are placed under mozilla namespace since
+// mozilla::ct::Buffer is actually mozilla::Vector.
+bool operator==(const ct::Buffer& a, const ct::Buffer& b);
+bool operator!=(const ct::Buffer& a, const ct::Buffer& b);
+
+} // namespace mozilla
+
+#endif // SignedCertificateTimestamp_h