Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(366)

Unified Diff: net/cert/internal/name_constraints.cc

Issue 1214933009: Class for parsing and evaluating RFC 5280 NameConstraints. (Closed) Base URL: https://chromium.googlesource.com/chromium/src.git@compare_DN2
Patch Set: review changes for comment #12 Created 5 years, 2 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View side-by-side diff with in-line comments
Download patch
« no previous file with comments | « net/cert/internal/name_constraints.h ('k') | net/cert/internal/name_constraints_unittest.cc » ('j') | no next file with comments »
Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
Index: net/cert/internal/name_constraints.cc
diff --git a/net/cert/internal/name_constraints.cc b/net/cert/internal/name_constraints.cc
new file mode 100644
index 0000000000000000000000000000000000000000..1f33f50db7b5ef3509f7068b7ade857a70f8a73d
--- /dev/null
+++ b/net/cert/internal/name_constraints.cc
@@ -0,0 +1,565 @@
+// Copyright 2015 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#include "net/cert/internal/name_constraints.h"
+
+#include "base/strings/string_util.h"
+#include "net/cert/internal/verify_name_match.h"
+#include "net/der/input.h"
+#include "net/der/parser.h"
+#include "net/der/tag.h"
+
+namespace net {
+
+namespace {
+
+// The name types of GeneralName that are fully supported in name constraints.
+//
+// (The other types will have the minimal checking described by RFC 5280
+// section 4.2.1.10: If a name constraints extension that is marked as critical
+// imposes constraints on a particular name form, and an instance of
+// that name form appears in the subject field or subjectAltName
+// extension of a subsequent certificate, then the application MUST
+// either process the constraint or reject the certificate.)
+const int kSupportedNameTypes = GENERAL_NAME_DNS_NAME |
+ GENERAL_NAME_DIRECTORY_NAME |
+ GENERAL_NAME_IP_ADDRESS;
+
+// Controls wildcard handling of DNSNameMatches.
+// If WildcardMatchType is WILDCARD_PARTIAL_MATCH "*.bar.com" is considered to
+// match the constraint "foo.bar.com". If it is WILDCARD_FULL_MATCH, "*.bar.com"
+// will match "bar.com" but not "foo.bar.com".
+enum WildcardMatchType { WILDCARD_PARTIAL_MATCH, WILDCARD_FULL_MATCH };
+
+// Returns true if |name| falls in the subtree defined by |dns_constraint|.
+// RFC 5280 section 4.2.1.10:
+// DNS name restrictions are expressed as host.example.com. Any DNS
+// name that can be constructed by simply adding zero or more labels
+// to the left-hand side of the name satisfies the name constraint. For
+// example, www.host.example.com would satisfy the constraint but
+// host1.example.com would not.
+//
+// |wildcard_matching| controls handling of wildcard names (|name| starts with
+// "*."). Wildcard handling is not specified by RFC 5280, but certificate
+// verification allows it, name constraints must check it similarly.
+bool DNSNameMatches(base::StringPiece name,
+ base::StringPiece dns_constraint,
+ WildcardMatchType wildcard_matching) {
+ // Everything matches the empty DNS name constraint.
+ if (dns_constraint.empty())
+ return true;
+
+ // Normalize absolute DNS names by removing the trailing dot, if any.
+ if (!name.empty() && *name.rbegin() == '.')
+ name.remove_suffix(1);
+ if (!dns_constraint.empty() && *dns_constraint.rbegin() == '.')
+ dns_constraint.remove_suffix(1);
+
+ // Wildcard partial-match handling ("*.bar.com" matching name constraint
+ // "foo.bar.com"). This only handles the case where the the dnsname and the
+ // constraint match after removing the leftmost label, otherwise it is handled
+ // by falling through to the check of whether the dnsname is fully within or
+ // fully outside of the constraint.
+ if (wildcard_matching == WILDCARD_PARTIAL_MATCH && name.size() > 2 &&
+ name[0] == '*' && name[1] == '.') {
+ size_t dns_constraint_dot_pos = dns_constraint.find('.');
+ if (dns_constraint_dot_pos != std::string::npos) {
+ base::StringPiece dns_constraint_domain(
+ dns_constraint.begin() + dns_constraint_dot_pos + 1,
+ dns_constraint.size() - dns_constraint_dot_pos - 1);
+ base::StringPiece wildcard_domain(name.begin() + 2, name.size() - 2);
+ if (base::EqualsCaseInsensitiveASCII(wildcard_domain,
+ dns_constraint_domain)) {
+ return true;
+ }
+ }
+ }
+
+ if (!base::EndsWith(name, dns_constraint,
+ base::CompareCase::INSENSITIVE_ASCII)) {
+ return false;
+ }
+ // Exact match.
+ if (name.size() == dns_constraint.size())
+ return true;
+ // Subtree match.
+ if (name.size() > dns_constraint.size() &&
+ name[name.size() - dns_constraint.size() - 1] == '.') {
+ return true;
+ }
+ // Trailing text matches, but not in a subtree (e.g., "foobar.com" is not a
+ // match for "bar.com").
+ return false;
+}
+
+// Return true if the bitmask |mask| contains only zeros after the first
+// |prefix_length| bits.
+bool IsSuffixZero(std::vector<uint8_t> mask, unsigned prefix_length) {
Ryan Sleevi 2015/10/29 01:50:47 Shouldn't mask be const-ref?
mattm 2015/10/29 04:20:38 Indeed. Done.
+ size_t zero_bits = mask.size() * CHAR_BIT - prefix_length;
+ size_t zero_bytes = zero_bits / CHAR_BIT;
+ std::vector<uint8_t> zeros(zero_bytes, 0);
+ if (memcmp(zeros.data(), mask.data() + mask.size() - zero_bytes, zero_bytes))
+ return false;
+ size_t leftover_bits = zero_bits % CHAR_BIT;
+ if (leftover_bits) {
+ uint8_t b = mask[mask.size() - zero_bytes - 1];
+ for (size_t i = 0; i < leftover_bits; ++i) {
+ if (b & (1 << i))
+ return false;
+ }
+ }
+ return true;
+}
+
+// Controls handling of unsupported name types in ParseGeneralName. (Unsupported
+// types are those not in kSupportedNameTypes.)
+// RECORD_UNSUPPORTED causes unsupported types to be recorded in
+// |present_name_types|.
+// IGNORE_UNSUPPORTED causes unsupported types to not be recorded.
+enum ParseGeneralNameUnsupportedTypeBehavior {
+ RECORD_UNSUPPORTED,
+ IGNORE_UNSUPPORTED,
+};
+
+// Controls parsing of iPAddress names in ParseGeneralName.
+// IP_ADDRESS_ONLY parses the iPAddress names as a 4 or 16 byte IP address.
+// IP_ADDRESS_AND_NETMASK parses the iPAddress names as 8 or 32 bytes containing
+// an IP address followed by a netmask.
+enum ParseGeneralNameIPAddressType {
+ IP_ADDRESS_ONLY,
+ IP_ADDRESS_AND_NETMASK,
+};
+
+// Parses a GeneralName value and adds it to |subtrees|.
+WARN_UNUSED_RESULT bool ParseGeneralName(
+ const der::Input& input,
+ ParseGeneralNameUnsupportedTypeBehavior unsupported_type_behavior,
+ ParseGeneralNameIPAddressType ip_address_type,
+ NameConstraints::GeneralNames* subtrees) {
+ der::Parser parser(input);
+ der::Tag tag;
+ der::Input value;
+ if (!parser.ReadTagAndValue(&tag, &value))
+ return false;
+ if (!der::IsContextSpecific(tag))
+ return false;
+ GeneralNameTypes name_type = GENERAL_NAME_NONE;
+ // GeneralName ::= CHOICE {
+ switch (der::GetTagNumber(tag)) {
+ // otherName [0] OtherName,
+ case 0:
+ if (!der::IsConstructed(tag))
+ return false;
+ name_type = GENERAL_NAME_OTHER_NAME;
+ break;
+ // rfc822Name [1] IA5String,
+ case 1:
+ if (der::IsConstructed(tag))
+ return false;
+ name_type = GENERAL_NAME_RFC822_NAME;
+ break;
+ // dNSName [2] IA5String,
+ case 2: {
+ if (der::IsConstructed(tag))
+ return false;
+ name_type = GENERAL_NAME_DNS_NAME;
+ const std::string s = value.AsString();
+ if (!base::IsStringASCII(s))
+ return false;
+ subtrees->dns_names.push_back(s);
+ break;
+ }
+ // x400Address [3] ORAddress,
+ case 3:
+ if (!der::IsConstructed(tag))
+ return false;
+ name_type = GENERAL_NAME_X400_ADDRESS;
+ break;
+ // directoryName [4] Name,
+ case 4:
+ if (!der::IsConstructed(tag))
+ return false;
+ name_type = GENERAL_NAME_DIRECTORY_NAME;
+ subtrees->directory_names.push_back(std::vector<uint8_t>(
+ value.UnsafeData(), value.UnsafeData() + value.Length()));
+ break;
+ // ediPartyName [5] EDIPartyName,
+ case 5:
+ if (!der::IsConstructed(tag))
+ return false;
+ name_type = GENERAL_NAME_EDI_PARTY_NAME;
+ break;
+ // uniformResourceIdentifier [6] IA5String,
+ case 6:
+ if (der::IsConstructed(tag))
+ return false;
+ name_type = GENERAL_NAME_UNIFORM_RESOURCE_IDENTIFIER;
+ break;
+ // iPAddress [7] OCTET STRING,
+ case 7:
+ if (der::IsConstructed(tag))
+ return false;
+ name_type = GENERAL_NAME_IP_ADDRESS;
+ if (ip_address_type == IP_ADDRESS_ONLY) {
+ // RFC 5280 section 4.2.1.6:
+ // When the subjectAltName extension contains an iPAddress, the address
+ // MUST be stored in the octet string in "network byte order", as
+ // specified in [RFC791]. The least significant bit (LSB) of each octet
+ // is the LSB of the corresponding byte in the network address. For IP
+ // version 4, as specified in [RFC791], the octet string MUST contain
+ // exactly four octets. For IP version 6, as specified in [RFC2460],
+ // the octet string MUST contain exactly sixteen octets.
+ if ((value.Length() != kIPv4AddressSize &&
+ value.Length() != kIPv6AddressSize)) {
+ return false;
+ }
+ subtrees->ip_addresses.push_back(std::vector<uint8_t>(
+ value.UnsafeData(), value.UnsafeData() + value.Length()));
+ } else {
+ DCHECK_EQ(ip_address_type, IP_ADDRESS_AND_NETMASK);
+ // RFC 5280 section 4.2.1.10:
+ // The syntax of iPAddress MUST be as described in Section 4.2.1.6 with
+ // the following additions specifically for name constraints. For IPv4
+ // addresses, the iPAddress field of GeneralName MUST contain eight (8)
+ // octets, encoded in the style of RFC 4632 (CIDR) to represent an
+ // address range [RFC4632]. For IPv6 addresses, the iPAddress field
+ // MUST contain 32 octets similarly encoded. For example, a name
+ // constraint for "class C" subnet 192.0.2.0 is represented as the
+ // octets C0 00 02 00 FF FF FF 00, representing the CIDR notation
+ // 192.0.2.0/24 (mask 255.255.255.0).
+ if (value.Length() != kIPv4AddressSize * 2 &&
+ value.Length() != kIPv6AddressSize * 2) {
+ return false;
+ }
+ const std::vector<uint8_t> mask(value.UnsafeData() + value.Length() / 2,
+ value.UnsafeData() + value.Length());
+ const unsigned mask_prefix_length = MaskPrefixLength(mask);
+ if (!IsSuffixZero(mask, mask_prefix_length))
+ return false;
+ subtrees->ip_address_ranges.push_back(std::make_pair(
+ std::vector<uint8_t>(value.UnsafeData(),
+ value.UnsafeData() + value.Length() / 2),
+ mask_prefix_length));
+ }
+ break;
+ // registeredID [8] OBJECT IDENTIFIER }
+ case 8:
+ if (der::IsConstructed(tag))
+ return false;
+ name_type = GENERAL_NAME_REGISTERED_ID;
+ break;
+ default:
+ return false;
+ }
+ DCHECK_NE(GENERAL_NAME_NONE, name_type);
+ if ((name_type & kSupportedNameTypes) ||
+ unsupported_type_behavior == RECORD_UNSUPPORTED) {
+ subtrees->present_name_types |= name_type;
+ }
+ return true;
+}
+
+// Parses a GeneralSubtrees |value| and store the contents in |subtrees|.
+// The individual values stored into |subtrees| are not validated by this
+// function.
+// NOTE: |subtrees| will be modified regardless of the return.
+WARN_UNUSED_RESULT bool ParseGeneralSubtrees(
+ const der::Input& value,
+ bool is_critical,
+ NameConstraints::GeneralNames* subtrees) {
+ // GeneralSubtrees ::= SEQUENCE SIZE (1..MAX) OF GeneralSubtree
+ //
+ // GeneralSubtree ::= SEQUENCE {
+ // base GeneralName,
+ // minimum [0] BaseDistance DEFAULT 0,
+ // maximum [1] BaseDistance OPTIONAL }
+ //
+ // BaseDistance ::= INTEGER (0..MAX)
+ der::Parser sequence_parser(value);
+ // The GeneralSubtrees sequence should have at least 1 element.
+ if (!sequence_parser.HasMore())
+ return false;
+ while (sequence_parser.HasMore()) {
+ der::Parser subtree_sequence;
+ if (!sequence_parser.ReadSequence(&subtree_sequence))
+ return false;
+
+ der::Input raw_general_name;
+ if (!subtree_sequence.ReadRawTLV(&raw_general_name))
+ return false;
+
+ if (!ParseGeneralName(raw_general_name,
+ is_critical ? RECORD_UNSUPPORTED : IGNORE_UNSUPPORTED,
+ IP_ADDRESS_AND_NETMASK, subtrees)) {
+ return false;
+ }
+
+ // RFC 5280 section 4.2.1.10:
+ // Within this profile, the minimum and maximum fields are not used with any
+ // name forms, thus, the minimum MUST be zero, and maximum MUST be absent.
+ // However, if an application encounters a critical name constraints
+ // extension that specifies other values for minimum or maximum for a name
+ // form that appears in a subsequent certificate, the application MUST
+ // either process these fields or reject the certificate.
+
+ // Note that technically failing here isn't required: rather only need to
+ // fail if a name of this type actually appears in a subsequent cert and
+ // this extension was marked critical. However the minimum and maximum
+ // fields appear uncommon enough that implementing that isn't useful.
+ if (subtree_sequence.HasMore())
+ return false;
+ }
+ return true;
+}
+
+} // namespace
+
+NameConstraints::GeneralNames::GeneralNames() {}
+
+NameConstraints::GeneralNames::~GeneralNames() {}
+
+NameConstraints::~NameConstraints() {}
+
+// static
+scoped_ptr<NameConstraints> NameConstraints::CreateFromDer(
+ const der::Input& extension_value,
+ bool is_critical) {
+ scoped_ptr<NameConstraints> name_constraints(new NameConstraints());
+ if (!name_constraints->Parse(extension_value, is_critical))
+ return nullptr;
+ return name_constraints;
+}
+
+bool NameConstraints::Parse(const der::Input& extension_value,
+ bool is_critical) {
+ der::Parser extension_parser(extension_value);
+ der::Parser sequence_parser;
+
+ // NameConstraints ::= SEQUENCE {
+ // permittedSubtrees [0] GeneralSubtrees OPTIONAL,
+ // excludedSubtrees [1] GeneralSubtrees OPTIONAL }
+ if (!extension_parser.ReadSequence(&sequence_parser))
+ return false;
+ if (extension_parser.HasMore())
+ return false;
+
+ bool had_permitted_subtrees = false;
+ der::Input permitted_subtrees_value;
+ if (!sequence_parser.ReadOptionalTag(der::ContextSpecificConstructed(0),
+ &permitted_subtrees_value,
+ &had_permitted_subtrees)) {
+ return false;
+ }
+ if (had_permitted_subtrees &&
+ !ParseGeneralSubtrees(permitted_subtrees_value, is_critical,
+ &permitted_subtrees_)) {
+ return false;
+ }
+
+ bool had_excluded_subtrees = false;
+ der::Input excluded_subtrees_value;
+ if (!sequence_parser.ReadOptionalTag(der::ContextSpecificConstructed(1),
+ &excluded_subtrees_value,
+ &had_excluded_subtrees)) {
+ return false;
+ }
+ if (had_excluded_subtrees &&
+ !ParseGeneralSubtrees(excluded_subtrees_value, is_critical,
+ &excluded_subtrees_)) {
+ return false;
+ }
+
+ // RFC 5280 section 4.2.1.10:
+ // Conforming CAs MUST NOT issue certificates where name constraints is an
+ // empty sequence. That is, either the permittedSubtrees field or the
+ // excludedSubtrees MUST be present.
+ if (!had_permitted_subtrees && !had_excluded_subtrees)
+ return false;
+
+ if (sequence_parser.HasMore())
+ return false;
+
+ return true;
+}
+
+bool NameConstraints::IsPermittedCert(
+ const der::Input& subject_rdn_sequence,
+ const der::Input& subject_alt_name_extnvalue_tlv) const {
+ // Subject Alternative Name handling:
+ //
+ // RFC 5280 section 4.2.1.6:
+ // id-ce-subjectAltName OBJECT IDENTIFIER ::= { id-ce 17 }
+ //
+ // SubjectAltName ::= GeneralNames
+ //
+ // GeneralNames ::= SEQUENCE SIZE (1..MAX) OF GeneralName
+
+ GeneralNames san_names;
+ if (subject_alt_name_extnvalue_tlv.Length()) {
+ der::Parser extnvalue_parser(subject_alt_name_extnvalue_tlv);
+ der::Input subject_alt_name_tlv;
+ if (!extnvalue_parser.ReadTag(der::kOctetString, &subject_alt_name_tlv))
+ return false;
+
+ der::Parser subject_alt_name_parser(subject_alt_name_tlv);
+ der::Parser san_sequence_parser;
+ if (!subject_alt_name_parser.ReadSequence(&san_sequence_parser))
+ return false;
+ // Should not have trailing data after subjectAltName sequence.
+ if (subject_alt_name_parser.HasMore())
+ return false;
+ // The subjectAltName sequence should have at least 1 element.
+ if (!san_sequence_parser.HasMore())
+ return false;
+
+ while (san_sequence_parser.HasMore()) {
+ der::Input raw_general_name;
+ if (!san_sequence_parser.ReadRawTLV(&raw_general_name))
+ return false;
+
+ if (!ParseGeneralName(raw_general_name, RECORD_UNSUPPORTED,
+ IP_ADDRESS_ONLY, &san_names))
+ return false;
+ }
+
+ // Check unsupported name types:
+ // ConstrainedNameTypes for the unsupported types will only be true if that
+ // type of name was present in a name constraint that was marked critical.
+ //
+ // RFC 5280 section 4.2.1.10:
+ // If a name constraints extension that is marked as critical
+ // imposes constraints on a particular name form, and an instance of
+ // that name form appears in the subject field or subjectAltName
+ // extension of a subsequent certificate, then the application MUST
+ // either process the constraint or reject the certificate.
+ if (ConstrainedNameTypes() & san_names.present_name_types &
+ ~kSupportedNameTypes) {
+ return false;
+ }
+
+ // Check supported name types:
+ for (const auto& dns_name : san_names.dns_names) {
+ if (!IsPermittedDNSName(dns_name))
+ return false;
+ }
+
+ for (const auto& directory_name : san_names.directory_names) {
+ if (!IsPermittedDirectoryName(
+ der::Input(directory_name.data(), directory_name.size()))) {
+ return false;
+ }
+ }
+
+ for (const auto& ip_address : san_names.ip_addresses) {
+ if (!IsPermittedIP(ip_address))
+ return false;
+ }
+ }
+
+ // Subject handling:
+
+ // RFC 5280 section 4.2.1.10:
+ // Legacy implementations exist where an electronic mail address is embedded
+ // in the subject distinguished name in an attribute of type emailAddress
+ // (Section 4.1.2.6). When constraints are imposed on the rfc822Name name
+ // form, but the certificate does not include a subject alternative name, the
+ // rfc822Name constraint MUST be applied to the attribute of type emailAddress
+ // in the subject distinguished name.
+ if (!subject_alt_name_extnvalue_tlv.Length() &&
+ (ConstrainedNameTypes() & GENERAL_NAME_RFC822_NAME)) {
+ bool contained_email_address = false;
+ if (!NameContainsEmailAddress(subject_rdn_sequence,
+ &contained_email_address)) {
+ return false;
+ }
+ if (contained_email_address)
+ return false;
+ }
+
+ // RFC 5280 4.1.2.6:
+ // If subject naming information is present only in the subjectAltName
+ // extension (e.g., a key bound only to an email address or URI), then the
+ // subject name MUST be an empty sequence and the subjectAltName extension
+ // MUST be critical.
Ryan Sleevi 2015/10/29 01:50:47 This code doesn't check the criticality; is the ex
mattm 2015/10/29 04:20:38 That was my thought (for example, if there are no
mattm 2015/10/29 04:38:25 Also I imagine this code will end up changed to sp
+ if (subject_alt_name_extnvalue_tlv.Length() &&
+ subject_rdn_sequence.Length() == 0) {
+ return true;
+ }
+
+ return IsPermittedDirectoryName(subject_rdn_sequence);
+}
+
+bool NameConstraints::IsPermittedDNSName(const std::string& name) const {
+ // If there are no name constraints for DNS names, all names are accepted.
+ if (!(ConstrainedNameTypes() & GENERAL_NAME_DNS_NAME))
+ return true;
+
+ for (const std::string& excluded_name : excluded_subtrees_.dns_names) {
+ // When matching wildcard hosts against excluded subtrees, consider it a
+ // match if the constraint would match any expansion of the wildcard. Eg,
+ // CN=*.bar.com should match a constraint of foo.bar.com.
Ryan Sleevi 2015/10/29 01:50:47 remove the CN= ?
mattm 2015/10/29 04:20:38 Done.
+ if (DNSNameMatches(name, excluded_name, WILDCARD_PARTIAL_MATCH))
+ return false;
+ }
+ for (const std::string& permitted_name : permitted_subtrees_.dns_names) {
+ // When matching wildcard hosts against permitted subtrees, consider it a
+ // match only if the constraint would match all expansions of the wildcard.
+ // Eg, CN=*.bar.com should match a constraint of bar.com, but not
Ryan Sleevi 2015/10/29 01:50:47 remove CN= ?
mattm 2015/10/29 04:20:38 Done.
+ // foo.bar.com.
+ if (DNSNameMatches(name, permitted_name, WILDCARD_FULL_MATCH))
+ return true;
+ }
+
+ return false;
+}
+
+bool NameConstraints::IsPermittedDirectoryName(
+ const der::Input& name_rdn_sequence) const {
+ // If there are no name constraints for directory names, all names are
+ // accepted.
+ if (!(ConstrainedNameTypes() & GENERAL_NAME_DIRECTORY_NAME))
+ return true;
+
+ for (const auto& excluded_name : excluded_subtrees_.directory_names) {
+ if (VerifyNameInSubtree(
+ name_rdn_sequence,
+ der::Input(excluded_name.data(), excluded_name.size()))) {
+ return false;
+ }
+ }
+ for (const auto& permitted_name : permitted_subtrees_.directory_names) {
+ if (VerifyNameInSubtree(
+ name_rdn_sequence,
+ der::Input(permitted_name.data(), permitted_name.size()))) {
+ return true;
+ }
+ }
+
+ return false;
+}
+
+bool NameConstraints::IsPermittedIP(const IPAddressNumber& ip) const {
+ // If there are no name constraints for IP Address names, all names are
+ // accepted.
+ if (!(ConstrainedNameTypes() & GENERAL_NAME_IP_ADDRESS))
+ return true;
+
+ for (const auto& excluded_ip : excluded_subtrees_.ip_address_ranges) {
+ if (IPNumberMatchesPrefix(ip, excluded_ip.first, excluded_ip.second))
+ return false;
+ }
+ for (const auto& permitted_ip : permitted_subtrees_.ip_address_ranges) {
+ if (IPNumberMatchesPrefix(ip, permitted_ip.first, permitted_ip.second))
+ return true;
+ }
+
+ return false;
+}
+
+int NameConstraints::ConstrainedNameTypes() const {
+ return (permitted_subtrees_.present_name_types |
+ excluded_subtrees_.present_name_types);
+}
+
+} // namespace net
« no previous file with comments | « net/cert/internal/name_constraints.h ('k') | net/cert/internal/name_constraints_unittest.cc » ('j') | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698