net/quic/crypto/proof_source.h - chromium/src - Git at Google

 // Copyright (c) 2013 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.

 #ifndef NET_QUIC_CRYPTO_PROOF_SOURCE_H_
 #define NET_QUIC_CRYPTO_PROOF_SOURCE_H_

 #include <string>
 #include <vector>

 #include "base/memory/ref_counted.h"
 #include "net/base/net_export.h"
 #include "net/quic/quic_protocol.h"

 namespace net {

 class IPAddress;

 // ProofSource is an interface by which a QUIC server can obtain certificate
 // chains and signatures that prove its identity.
 class NET_EXPORT_PRIVATE ProofSource {
  public:
   // Chain is a reference-counted wrapper for a std::vector of std::stringified
   // certificates.
   struct NET_EXPORT_PRIVATE Chain : public base::RefCounted<Chain> {
     explicit Chain(const std::vector<std::string>& certs);

     const std::vector<std::string> certs;

    private:
     friend class base::RefCounted<Chain>;

     virtual ~Chain();

     DISALLOW_COPY_AND_ASSIGN(Chain);
   };

   virtual ~ProofSource() {}

   // GetProof finds a certificate chain for |hostname|, sets |out_certs| to
   // point to it (in leaf-first order), calculates a signature of
   // |server_config| using that chain and puts the result in |out_signature|.
   //
   // The signature uses SHA-256 as the hash function and PSS padding when the
   // key is RSA.
   //
   // The signature uses SHA-256 as the hash function when the key is ECDSA.
   //
   // If |ecdsa_ok| is true, the signature may use an ECDSA key. Otherwise, the
   // signature must use an RSA key.
   //
   // |out_chain| is reference counted to avoid the (assumed) expense of copying
   // out the certificates.
   //
   // The number of certificate chains is expected to be small and fixed thus
   // the ProofSource retains ownership of the contents of |out_certs|. The
   // expectation is that they will be cached forever.
   //
   // For version before QUIC_VERSION_30, the signature values should be cached
   // because |server_config| will be somewhat static. However, since they aren't
   // bounded, the ProofSource may wish to evicit entries from that cache, thus
   // the caller takes ownership of |*out_signature|.
   //
   // For QUIC_VERSION_30 and later, the signature depends on |chlo_hash|
   // which means that the signature can not be cached. The caller takes
   // ownership of |*out_signature|.
   //
   // |hostname| may be empty to signify that a default certificate should be
   // used.
   //
   // |out_leaf_cert_sct| points to the signed timestamp (RFC6962) of the leaf
   // cert.
   // This function may be called concurrently.
   virtual bool GetProof(const IPAddress& server_ip,
                         const std::string& hostname,
                         const std::string& server_config,
                         QuicVersion quic_version,
                         base::StringPiece chlo_hash,
                         bool ecdsa_ok,
                         scoped_refptr<Chain>* out_chain,
                         std::string* out_signature,
                         std::string* out_leaf_cert_sct) = 0;
 };

 }  // namespace net

 #endif  // NET_QUIC_CRYPTO_PROOF_SOURCE_H_
	// Copyright (c) 2013 The Chromium Authors. All rights reserved.
	// Use of this source code is governed by a BSD-style license that can be
	// found in the LICENSE file.

	#ifndef NET_QUIC_CRYPTO_PROOF_SOURCE_H_
	#define NET_QUIC_CRYPTO_PROOF_SOURCE_H_

	#include <string>
	#include <vector>

	#include "base/memory/ref_counted.h"
	#include "net/base/net_export.h"
	#include "net/quic/quic_protocol.h"

	namespace net {

	class IPAddress;

	// ProofSource is an interface by which a QUIC server can obtain certificate
	// chains and signatures that prove its identity.
	class NET_EXPORT_PRIVATE ProofSource {
	public:
	// Chain is a reference-counted wrapper for a std::vector of std::stringified
	// certificates.
	struct NET_EXPORT_PRIVATE Chain : public base::RefCounted<Chain> {
	explicit Chain(const std::vector<std::string>& certs);

	const std::vector<std::string> certs;

	private:
	friend class base::RefCounted<Chain>;

	virtual ~Chain();

	DISALLOW_COPY_AND_ASSIGN(Chain);
	};

	virtual ~ProofSource() {}

	// GetProof finds a certificate chain for \|hostname\|, sets \|out_certs\| to
	// point to it (in leaf-first order), calculates a signature of
	// \|server_config\| using that chain and puts the result in \|out_signature\|.
	//
	// The signature uses SHA-256 as the hash function and PSS padding when the
	// key is RSA.
	//
	// The signature uses SHA-256 as the hash function when the key is ECDSA.
	//
	// If \|ecdsa_ok\| is true, the signature may use an ECDSA key. Otherwise, the
	// signature must use an RSA key.
	//
	// \|out_chain\| is reference counted to avoid the (assumed) expense of copying
	// out the certificates.
	//
	// The number of certificate chains is expected to be small and fixed thus
	// the ProofSource retains ownership of the contents of \|out_certs\|. The
	// expectation is that they will be cached forever.
	//
	// For version before QUIC_VERSION_30, the signature values should be cached
	// because \|server_config\| will be somewhat static. However, since they aren't
	// bounded, the ProofSource may wish to evicit entries from that cache, thus
	// the caller takes ownership of \|*out_signature\|.
	//
	// For QUIC_VERSION_30 and later, the signature depends on \|chlo_hash\|
	// which means that the signature can not be cached. The caller takes
	// ownership of \|*out_signature\|.
	//
	// \|hostname\| may be empty to signify that a default certificate should be
	// used.
	//
	// \|out_leaf_cert_sct\| points to the signed timestamp (RFC6962) of the leaf
	// cert.
	// This function may be called concurrently.
	virtual bool GetProof(const IPAddress& server_ip,
	const std::string& hostname,
	const std::string& server_config,
	QuicVersion quic_version,
	base::StringPiece chlo_hash,
	bool ecdsa_ok,
	scoped_refptr<Chain>* out_chain,
	std::string* out_signature,
	std::string* out_leaf_cert_sct) = 0;
	};

	} // namespace net

	#endif // NET_QUIC_CRYPTO_PROOF_SOURCE_H_