net/cert/internal/signature_policy.h - Issue 1259313002: Add some policy controls for VerifySignedData().

Keyboard Shortcuts

	File
u :	up to issue
j / k :	jump to file after / before current file
J / K :	jump to next file with a comment after / before current file
	Side-by-side diff
i :	toggle intra-line diffs
e :	expand all comments
c :	collapse all comments
s :	toggle showing all comments
n / p :	next / previous diff chunk or comment
N / P :	next / previous comment
<Up> / <Down> :	next / previous line

	Issue
u :	up to list of issues
j / k :	jump to patch after / before current patch
o / <Enter> :	open current patch in side-by-side view
i :	open current patch in unified diff view

	Issue List
j / k :	jump to issue after / before current issue
o / <Enter> :	open current issue

Unified Diff: net/cert/internal/signature_policy.h

Issue 1259313002: Add some policy controls for VerifySignedData(). (Closed) Base URL: https://chromium.googlesource.com/chromium/src.git@add_python

Patch Set: Address more comments Created 5 years, 4 months ago

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Jump to:

View side-by-side diff with in-line comments

Download patch

Index: net/cert/internal/signature_policy.h

diff --git a/net/cert/internal/signature_policy.h b/net/cert/internal/signature_policy.h

new file mode 100644

index 0000000000000000000000000000000000000000..72ff945ed2c1cd1902f2dd67c7ef64def44fef6d

--- /dev/null

+++ b/net/cert/internal/signature_policy.h

@@ -0,0 +1,64 @@

+// Use of this source code is governed by a BSD-style license that can be

+// found in the LICENSE file.

+#ifndef NET_CERT_INTERNAL_SIGNATURE_POLICY_H_

+#define NET_CERT_INTERNAL_SIGNATURE_POLICY_H_

+#include "base/compiler_specific.h"

+#include "net/base/net_export.h"

+#include "net/cert/internal/signature_algorithm.h"

+namespace net {

+class SignatureAlgorithm;

+// SignaturePolicy is an interface (and base implementation) for applying

+// policies when verifying signed data. It lets callers override which

+// algorithms, named curves, and key sizes to allow.

+class NET_EXPORT SignaturePolicy {

+ public:

+ virtual ~SignaturePolicy() {}

+ // Implementations should return true if |algorithm| is acceptable. For

+ // instance, implementations could reject any signature algorithms that used

+ // SHA-1.

+ //

+ // The default implementation accepts all signature algorithms.

+ virtual bool IsAcceptableSignatureAlgorithm(

+ const SignatureAlgorithm& algorithm) const;

+ // Implementations should return true if |curve_nid| is an allowed

+ // elliptical curve. |curve_nid| is an object ID from BoringSSL (for example

+ // NID_secp384r1).

+ //

+ // The default implementation accepts secp256r1, secp384r1, secp521r1 only.

+ virtual bool IsAcceptableCurveForEcdsa(int curve_nid) const;

+ // Implementations should return true if |modulus_length_bits| is an allowed

+ // RSA key size in bits.

+ //

+ // The default implementation accepts any modulus length >= 2048 bits.

+ virtual bool IsAcceptableModulusLengthForRsa(

+ size_t modulus_length_bits) const;

+};

+// SimpleSignaturePolicy modifies the base SignaturePolicy by allowing the

+// minimum RSA key length to be specified (rather than hard coded to 2048).

+//

+// TODO(eroman): This is currently just used by a test. If it ends up being

+// only useful for the unit-test then move it directly to that test file.

+class NET_EXPORT SimpleSignaturePolicy : public SignaturePolicy {

+ public:

+ explicit SimpleSignaturePolicy(size_t min_rsa_modulus_length_bits);

+ bool IsAcceptableModulusLengthForRsa(

+ size_t modulus_length_bits) const override;

+ private:

+ const size_t min_rsa_modulus_length_bits_;

+};

+} // namespace net

+#endif // NET_CERT_INTERNAL_SIGNATURE_POLICY_H_

« no previous file with comments | « no previous file | net/cert/internal/signature_policy.cc » ('j') | no next file with comments »