Class for parsing and evaluating RFC 5280 NameConstraints.

net/cert/internal/name_constraints.h

+// Copyright 2015 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#ifndef NET_CERT_INTERNAL_NAME_CONSTRAINTS_H_
+#define NET_CERT_INTERNAL_NAME_CONSTRAINTS_H_
+
+#include <vector>
+
+#include "base/compiler_specific.h"
+#include "net/base/ip_address_number.h"
+
+namespace net {
+
+namespace der {
+class Input;
+}  // namespace der
+
+enum GeneralNameTypes {
+  GENERAL_NAME_OTHER_NAME = 1 << 0,
+  GENERAL_NAME_RFC822_NAME = 1 << 1,
+  GENERAL_NAME_DNS_NAME = 1 << 2,
+  GENERAL_NAME_X400_ADDRESS = 1 << 3,
+  GENERAL_NAME_DIRECTORY_NAME = 1 << 4,
+  GENERAL_NAME_EDI_PARTY_NAME = 1 << 5,
+  GENERAL_NAME_UNIFORM_RESOURCE_IDENTIFIER = 1 << 6,
+  GENERAL_NAME_IP_ADDRESS = 1 << 7,
+  GENERAL_NAME_REGISTERED_ID = 1 << 8,
+};
+
+// Parses a NameConstraints extension value and allows testing whether names are
+// allowed under those constraints as defined by RFC 5280 section 4.2.1.10.
+class NET_EXPORT NameConstraints {
+ public:
+  // TODO(mattm): This may need to be split out into a public class, since
+  // GeneralNames is used other places in a certificate also...
+  struct GeneralNames {
+    GeneralNames();
+    ~GeneralNames();
+
+    // ASCII hostnames.
+    std::vector<std::string> dns_names;
+
+    // DER encoded Name values (not including the Sequence tag).

[eroman, 2015/09/10 17:48:28]

"DER-encoded" to match the rest of the comments

[mattm, 2015/09/22 22:12:31]

Done.

+    std::vector<std::vector<uint8_t>> directory_names;
+
+    // iPAddresses. For Subject Alternative Name this will be 4 bytes for IPv4
+    // or 16 bytes for IPv6. For Name Constraints, it will be ip + netmask
+    // (8 bytes for IPv4, 32 bytes for IPv6).
+    std::vector<std::vector<uint8_t>> ip_addresses;
+
+    // Which name types were present, as a bitfield of GeneralNameTypes.
+    // Includes both the supported and unsupported types (although unsupported
+    // ones may not be recorded depending on the context, like non-critical name
+    // constraints.)
+    int present_name_types = 0;
+  };
+
+  ~NameConstraints();
+
+  // Parses a DER-encoded NameConstraints extension and initializes this object.
+  // Should only be called once on a given NameConstraints object (whether
+  // successful or not).
+  // |extension_value| should be the extnValue from the extension (not including
+  // the OCTET STRING tag). |is_critical| should be true if the extension was
+  // marked critical.  Returns true if the extension was parsed successfully,
+  // after which the IsPermitted methods may be used to test if Names are
+  // permitted by the NameConstraints.
+  // The object lifetime is not bound to the lifetime of |extension_value| data.
+  bool Parse(const der::Input& extension_value,

[eroman, 2015/09/10 17:48:28]

When I was writing the SignatureAlgorithm class which similarly had a "parse to
initialize" mechanism, Ryan proposed using a factory method instead
(https://code.google.com/p/chromium/codesearch#chromium/src/net/cert/internal/...)
to avoid possibility of having an invalid algorithm.

Not a big deal here since the default constructed NameConstraints isn't scary,
but you might consider that pattern here for consistency. It does cost another
allocation, but makes the "only called once" behavior explicit.

[mattm, 2015/09/22 22:12:31]

Done.

+             bool is_critical) WARN_UNUSED_RESULT;
+
+  // Tests if a certificate is allowed by the name constraints.
+  // |subject_rdn_sequence| should be the DER-encoded value of the subject's
+  // RDNSequence field (not including Sequence tag), and may be an empty ASN.1

[eroman, 2015/09/10 17:48:28]

nit: This reads a bit weird to me. In particular "RDNSequence field", since my
mind was expecting a field name (name) and not a type (RDNSequence).

[mattm, 2015/09/22 22:12:31]

I removed the "field"

+  // sequence.  |subject_alt_name_extnvalue_tlv| should be the extnValue of the
+  // subjectAltName extension (including the OCTET STRING tag & length), or
+  // empty if the cert did not have a subjectAltName extension.  |is_leaf_cert|
+  // should be true if the certificate is the leaf of the certificate chain, in
+  // which case subject commonName hostname/ip checking is done.
+  bool IsPermittedCert(const der::Input& subject_rdn_sequence,
+                       const der::Input& subject_alt_name_extnvalue_tlv,
+                       bool is_leaf_cert) const;
+
+  // Returns true if the ASCII hostname |name| is permitted.
+  // |name| may be a wildcard hostname (starts with "*."). Eg, "*.bar.com"

[eroman, 2015/09/10 17:48:28]

Where does this wildcard behavior come from?

[mattm, 2015/09/22 22:12:31]

(Should be addressed by the discussion in the .cc file review)

+  // would not be permitted if "bar.com" is permitted and "foo.bar.com" is
+  // excluded, while "*.baz.com" would only be permitted if "baz.com" is
+  // permitted.
+  bool IsPermittedDNSName(const std::string& name) const;
+
+  // Returns true if the directoryName |name_rdn_sequence| is permitted.
+  // |name_rdn_sequence| should be the DER-encoded RDNSequence value (not
+  // including the Sequence tag.)
+  bool IsPermittedDirectoryName(const der::Input& name_rdn_sequence) const;
+
+  // Returns true if the iPAddress |ip| is permitted.
+  bool IsPermittedIP(const IPAddressNumber& ip) const;
+
+  // Returns a bitfield of GeneralNameTypes of all the types constrained by this
+  // NameConstraints. Name types that aren't supported will only be present if
+  // the name constraint they appeared in was marked critical.
+  //
+  // RFC 5280 section 4.2.1.10 says:
+  // Applications conforming to this profile MUST be able to process name
+  // constraints that are imposed on the directoryName name form and SHOULD be
+  // able to process name constraints that are imposed on the rfc822Name,
+  // uniformResourceIdentifier, dNSName, and iPAddress name forms.
+  // If a name constraints extension that is marked as critical
+  // imposes constraints on a particular name form, and an instance of
+  // that name form appears in the subject field or subjectAltName
+  // extension of a subsequent certificate, then the application MUST
+  // either process the constraint or reject the certificate.
+  int ConstrainedNameTypes() const;
+
+ private:
+  GeneralNames permitted_subtrees_;
+  GeneralNames excluded_subtrees_;
+};
+
+}  // namespace net
+
+#endif  // NET_CERT_INTERNAL_NAME_CONSTRAINTS_H_