Class for parsing and evaluating RFC 5280 NameConstraints.

net/cert/internal/verify_name_match.cc

 // Copyright 2015 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "net/cert/internal/verify_name_match.h"
 
 #include <string.h>
 
 #include "base/stl_util.h"
 #include "base/strings/string16.h"
 #include "base/strings/string_util.h"
 #include "base/strings/utf_string_conversion_utils.h"
 #include "base/strings/utf_string_conversions.h"
 #include "base/sys_byteorder.h"
 #include "base/third_party/icu/icu_utf.h"
 #include "base/tuple.h"
 #include "net/der/input.h"
 #include "net/der/parser.h"
 #include "net/der/tag.h"
 
 namespace net {
 
 namespace {
 
+// RFC 5280 section A.1:
+//
+// pkcs-9 OBJECT IDENTIFIER ::=
+//   { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) 9 }
+//
+// id-emailAddress      AttributeType ::= { pkcs-9 1 }
+//
+// In dotted form: 1.2.840.113549.1.9.1
+const uint8_t kOidEmailAddress[] = {0x2A, 0x86, 0x48, 0x86, 0xF7,
+                                    0x0D, 0x01, 0x09, 0x01};
+
+// RFC 5280 section A.1:
+//
+// id-at OBJECT IDENTIFIER ::= { joint-iso-ccitt(2) ds(5) 4 }
+//
+// id-at-commonName        AttributeType ::= { id-at 3 }
+//
+// In dotted form: 2.5.4.3
+const uint8_t kOidCommonName[] = {0x55, 0x04, 0x03};
+
 // Types of character set checking that NormalizeDirectoryString can perform.
 enum CharsetEnforcement {
   NO_ENFORCEMENT,
   ENFORCE_PRINTABLE_STRING,
   ENFORCE_ASCII,
 };
 
 // Normalizes |output|, a UTF-8 encoded string, as if it contained
 // only ASCII characters.
 //
@@ skipping 342 matching lines @@
     }
     if (!matched)
       return false;
   }
 
   // Every element in |a_type_and_values| had a matching element in
   // |b_type_and_values|.
   return true;
 }
 
-}  // namespace
-
+enum NameMatchType {
+  EXACT_MATCH,
+  SUBTREE_MATCH,
+};

[eroman, 2015/08/26 19:56:44]

newline

[mattm, 2015/08/29 01:37:19]

Done.

+// Verify that |a| matches |b|. If |match_type| is EXACT_MATCH, returns true if
+// they are an exact match as defined by RFC 5280 7.1. If |match_type| is
+// SUBTREE_MATCH, returns true if |a| is within the subtree defined by |b| as
+// defined by RFC 5280 7.1.
+//
 // |a| and |b| are ASN.1 RDNSequence values (not including the Sequence tag),
 // defined in RFC 5280 section 4.1.2.4:
 //
 // Name ::= CHOICE { -- only one possibility for now --
 //   rdnSequence  RDNSequence }
 //
 // RDNSequence ::= SEQUENCE OF RelativeDistinguishedName
 //
 // RelativeDistinguishedName ::=
 //   SET SIZE (1..MAX) OF AttributeTypeAndValue
-bool VerifyNameMatch(const der::Input& a, const der::Input& b) {
+bool VerifyNameMatchInternal(const der::Input& a,
+                             const der::Input& b,
+                             NameMatchType match_type) {
   // Empty Names are allowed.  RFC 5280 section 4.1.2.4 requires "The issuer
   // field MUST contain a non-empty distinguished name (DN)", while section
   // 4.1.2.6 allows for the Subject to be empty in certain cases. The caller is
   // assumed to have verified those conditions.
 
   // RFC 5280 section 7.1:
   // Two distinguished names DN1 and DN2 match if they have the same number of
   // RDNs, for each RDN in DN1 there is a matching RDN in DN2, and the matching
   // RDNs appear in the same order in both DNs.
 
   // First just check if the inputs have the same number of RDNs:
   der::Parser a_rdn_sequence_counter(a);
   der::Parser b_rdn_sequence_counter(b);
   while (a_rdn_sequence_counter.HasMore() && b_rdn_sequence_counter.HasMore()) {
     if (!a_rdn_sequence_counter.SkipTag(der::kSet) ||
         !b_rdn_sequence_counter.SkipTag(der::kSet)) {
       return false;
     }
   }
-  if (a_rdn_sequence_counter.HasMore() || b_rdn_sequence_counter.HasMore())
+  // If doing exact match and either of the sequences has more elements than the
+  // other, not a match. If doing a subtree match, the first Name may have more
+  // RDNs than the second.
+  if (b_rdn_sequence_counter.HasMore())
+    return false;
+  if (match_type == EXACT_MATCH && a_rdn_sequence_counter.HasMore())
     return false;
 
   // Same number of RDNs, now check if they match.
   der::Parser a_rdn_sequence(a);
   der::Parser b_rdn_sequence(b);
   while (a_rdn_sequence.HasMore() && b_rdn_sequence.HasMore()) {
     der::Parser a_rdn, b_rdn;
     if (!a_rdn_sequence.ReadConstructed(der::kSet, &a_rdn) ||
         !b_rdn_sequence.ReadConstructed(der::kSet, &b_rdn)) {
       return false;
     }
     if (!VerifyRdnMatch(&a_rdn, &b_rdn))
       return false;
   }
 
   return true;
 }
 
+}  // namespace
+
+bool VerifyNameMatch(const der::Input& a_rdn_sequence,
+                     const der::Input& b_rdn_sequence) {
+  return VerifyNameMatchInternal(a_rdn_sequence, b_rdn_sequence, EXACT_MATCH);
+}
+
+bool VerifyNameInSubtree(const der::Input& name_rdn_sequence,
+                         const der::Input& parent_rdn_sequence) {
+  return VerifyNameMatchInternal(name_rdn_sequence, parent_rdn_sequence,
+                                 SUBTREE_MATCH);
+}
+
+bool NameContainsEmailAddress(const der::Input& name_rdn_sequence) {
+  der::Parser rdn_sequence_parser(name_rdn_sequence);
+
+  while (rdn_sequence_parser.HasMore()) {
+    der::Parser rdn_parser;
+    if (!rdn_sequence_parser.ReadConstructed(der::kSet, &rdn_parser))
+      return false;
+
+    std::vector<AttributeTypeAndValue> type_and_values;
+    if (!ReadRdn(&rdn_parser, &type_and_values))
+      return false;
+
+    for (const auto& type_and_value : type_and_values) {
+      if (type_and_value.type.Equals(der::Input(kOidEmailAddress)))
+        return true;
+    }
+  }
+
+  return false;
+}
+
+std::string GetNormalizedCommonNameFromName(
+    const der::Input& name_rdn_sequence) {
+  der::Parser rdn_sequence_parser(name_rdn_sequence);
+
+  while (rdn_sequence_parser.HasMore()) {
+    der::Parser rdn_parser;
+    if (!rdn_sequence_parser.ReadConstructed(der::kSet, &rdn_parser))
+      return std::string();

[eroman, 2015/08/26 19:56:44]

Why return an empty string rather than return false to indicate an error? Is the
consumer expected to test for emptiness, or are empty names allowed? I would say
here we want to fail, since failures can mean invalid der

[mattm, 2015/08/29 01:37:19]

It just didn't matter much for this case, but I've changed it to return a bool.

+
+    std::vector<AttributeTypeAndValue> type_and_values;
+    if (!ReadRdn(&rdn_parser, &type_and_values))
+      return std::string();
+
+    for (const auto& type_and_value : type_and_values) {
+      if (type_and_value.type.Equals(der::Input(kOidCommonName))) {
+        if (!IsNormalizableDirectoryString(type_and_value.value_tag))
+          return std::string();
+        std::string normalized;
+        bool ok = NormalizeValue(type_and_value.value_tag, type_and_value.value,
+                                 &normalized);
+        if (!ok)
+          return std::string();
+        return normalized;
+      }
+    }
+  }
+
+  return std::string();
+}
+
 }  // namespace net