| OLD | NEW |
|---|
| (Empty) | |
| 1 // Copyright 2015 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. |
| 4 |
| 5 #ifndef NET_CERT_INTERNAL_NAME_CONSTRAINTS_H_ |
| 6 #define NET_CERT_INTERNAL_NAME_CONSTRAINTS_H_ |
| 7 |
| 8 #include <vector> |
| 9 |
| 10 #include "net/base/ip_address_number.h" |
| 11 #include "net/der/input.h" |
| 12 |
| 13 namespace net { |
| 14 |
| 15 // Parses a NameConstraints extension value and allows testing whether names are |
| 16 // allowed under those constraints as defined by RFC 5280 section 4.2.1.10. |
| 17 class NET_EXPORT NameConstraints { |
| 18 public: |
| 19 // TODO: make this private? (requires making some currently anonymous |
| 20 // functions into private static methods.) Or maybe this will need to be split |
| 21 // out into a public class, since GeneralNames is used other places in a |
| 22 // certificate also... |
| 23 struct GeneralNames { |
| 24 GeneralNames(); |
| 25 ~GeneralNames(); |
| 26 |
| 27 // ASCII hostnames. |
| 28 std::vector<std::string> dns_names; |
| 29 |
| 30 // DER encoded Name values (not including the Sequence tag). |
| 31 std::vector<std::vector<uint8_t>> directory_names; |
| 32 |
| 33 // iPAddresses. For Subject Alternative Name this will be 4 bytes for IPv4 |
| 34 // or 16 bytes for IPv6. For Name Constraints, it will be ip + netmask |
| 35 // (8 bytes for IPv4, 32 bytes for IPv6). |
| 36 std::vector<std::vector<uint8_t>> ip_addresses; |
| 37 |
| 38 // Whether any values of the other types were present. |
| 39 bool has_other_names; |
| 40 bool has_rfc822_names; |
| 41 bool has_x400_addresses; |
| 42 bool has_edi_party_names; |
| 43 bool has_uniform_resource_identifiers; |
| 44 bool has_registered_ids; |
| 45 }; |
| 46 |
| 47 ~NameConstraints(); |
| 48 |
| 49 // Parse a DER-encoded NameConstraints extension. |extension_value| should be |
| 50 // the extnValue octet string from the extension, |is_critical| should be true |
| 51 // if the extension was marked critical. |
| 52 // Returns true if the extension was parsed successfully. |
| 53 // The object lifetime is not bound to the lifetime of |extension_value| data. |
| 54 bool Parse(const der::Input& extension_value, bool is_critical); |
| 55 |
| 56 // Tests if a certificate is allowed by the name constraints. |
| 57 // |subject_rdn_sequence| should be the DER-encoded value of the subject's |
| 58 // RDNSequence field (not including Sequence tag), and may be an empty ASN.1 |
| 59 // sequence. |subject_alt_name| should be the extnValue of the subjectAltName |
| 60 // extension, or empty if the cert did not have a subjectAltName extension. |
| 61 // |is_leaf_cert| should be true if the certificate is the leaf of the |
| 62 // certificate chain, in which case subject commonName hostname/ip checking is |
| 63 // done. |
| 64 bool IsPermittedCert(const der::Input& subject_rdn_sequence, |
| 65 const der::Input& subject_alt_name, |
| 66 bool is_leaf_cert) const; |
| 67 |
| 68 // Returns true if the ASCII hostname |name| is permitted. |
| 69 // |name| may be a wildcard hostname (starts with "*."). Eg, "*.bar.com" is |
| 70 // considered would not be permitted if "bar.com" is permitted and |
| 71 // "foo.bar.com" is excluded, while "*.baz.com" would only be permitted if |
| 72 // "baz.com" is permitted. |
| 73 bool IsPermittedDNSName(const std::string& name) const; |
| 74 |
| 75 // Returns true if the directoryName |name| is permitted. |
| 76 // |name_rdn_sequence| should be the DER-encoded RDNSequence value (not |
| 77 // including the Sequence tag.) |
| 78 bool IsPermittedDirectoryName(const der::Input& name_rdn_sequence) const; |
| 79 |
| 80 // Returns true if the iPAddress |ip| is permitted. |
| 81 bool IsPermittedIP(const IPAddressNumber& ip) const; |
| 82 |
| 83 // These name types aren't supported, therefore names of these types are |
| 84 // permitted only if they don't appear in the name constraints at all, or if |
| 85 // the name constraint they appeared in was non-critical. |
| 86 // |
| 87 // RFC 5280 section 4.2.1.10 says: |
| 88 // Applications conforming to this profile MUST be able to process name |
| 89 // constraints that are imposed on the directoryName name form and SHOULD be |
| 90 // able to process name constraints that are imposed on the rfc822Name, |
| 91 // uniformResourceIdentifier, dNSName, and iPAddress name forms. |
| 92 // If a name constraints extension that is marked as critical |
| 93 // imposes constraints on a particular name form, and an instance of |
| 94 // that name form appears in the subject field or subjectAltName |
| 95 // extension of a subsequent certificate, then the application MUST |
| 96 // either process the constraint or reject the certificate. |
| 97 bool IsPermittedOtherName() const; |
| 98 bool IsPermittedRFC822Name() const; |
| 99 bool IsPermittedX400Address() const; |
| 100 bool IsPermittedEdiPartyName() const; |
| 101 bool IsPermittedURI() const; |
| 102 bool IsPermittedRegisteredId() const; |
| 103 |
| 104 private: |
| 105 GeneralNames permitted_subtrees_; |
| 106 GeneralNames excluded_subtrees_; |
| 107 }; |
| 108 |
| 109 } // namespace net |
| 110 |
| 111 #endif // NET_CERT_INTERNAL_NAME_CONSTRAINTS_H_ |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 1214933009:
Class for parsing and evaluating RFC 5280 NameConstraints. (Closed)
Base URL: https://chromium.googlesource.com/chromium/src.git@compare_DN2