net/cert/internal/parse_certificate.h - Issue 1279963003: Add a function for parsing RFC 5280's "TBSCertificate".

Side by Side Diff: net/cert/internal/parse_certificate.h

Issue 1279963003: Add a function for parsing RFC 5280's "TBSCertificate". (Closed) Base URL: https://chromium.googlesource.com/chromium/src.git@cert_mapper

Patch Set: rebase onto master Created 5 years, 4 months ago

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Jump to:

View unified diff | Download patch

OLD	NEW
1 // Copyright 2015 The Chromium Authors. All rights reserved.	1 // Copyright 2015 The Chromium Authors. All rights reserved.

2 // Use of this source code is governed by a BSD-style license that can be	2 // Use of this source code is governed by a BSD-style license that can be

3 // found in the LICENSE file.	3 // found in the LICENSE file.

4	4

5 #ifndef NET_CERT_INTERNAL_PARSE_CERTIFICATE_H_	5 #ifndef NET_CERT_INTERNAL_PARSE_CERTIFICATE_H_

6 #define NET_CERT_INTERNAL_PARSE_CERTIFICATE_H_	6 #define NET_CERT_INTERNAL_PARSE_CERTIFICATE_H_

7	7

8 #include "base/basictypes.h"	8 #include "base/basictypes.h"

9 #include "base/compiler_specific.h"	9 #include "base/compiler_specific.h"

10 #include "net/base/net_export.h"	10 #include "net/base/net_export.h"

11 #include "net/der/input.h"	11 #include "net/der/input.h"

12 #include "net/der/parse_values.h"	12 #include "net/der/parse_values.h"

13	13

14 namespace net {	14 namespace net {

15	15

16 struct ParsedCertificate;	16 struct ParsedCertificate;

	17 struct ParsedTbsCertificate;
	davidben 2015/08/14 17:51:42 [Whatever we end up doing for the other CL, do for [Whatever we end up doing for the other CL, do for this one too.] eroman 2015/08/14 21:26:13 Acknowledged. Show quoted text On 2015/08/14 17:51:42, David Benjamin wrote: > [Whatever we end up doing for the other CL, do for this one too.] Acknowledged.
17	18

18 // Parses a DER-encoded "Certificate" as specified by RFC 5280. Returns true on	19 // Parses a DER-encoded "Certificate" as specified by RFC 5280. Returns true on

19 // success and sets the results in \|out\|.	20 // success and sets the results in \|out\|.

20 //	21 //

21 // Refer to the per-field documention of the ParsedCertificate structure for	22 // Refer to the per-field documention of the ParsedCertificate structure for

22 // details on what validity checks parsing performs.	23 // details on what validity checks parsing performs.

23 //	24 //

24 // Certificate ::= SEQUENCE {	25 // Certificate ::= SEQUENCE {

25 // tbsCertificate TBSCertificate,	26 // tbsCertificate TBSCertificate,

26 // signatureAlgorithm AlgorithmIdentifier,	27 // signatureAlgorithm AlgorithmIdentifier,

27 // signatureValue BIT STRING }	28 // signatureValue BIT STRING }

28 NET_EXPORT bool ParseCertificate(const der::Input& certificate_tlv,	29 NET_EXPORT bool ParseCertificate(const der::Input& certificate_tlv,

29 ParsedCertificate* out) WARN_UNUSED_RESULT;	30 ParsedCertificate* out) WARN_UNUSED_RESULT;

30	31

	32 // Parses a DER-encoded "TBSCertificate" as specified by RFC 5280. Returns true

	33 // on success and sets the results in \|out\|.
	davidben 2015/08/14 17:51:42 Add: The resulting ParsedTbsCertificate is valid a Add: The resulting ParsedTbsCertificate is valid as long as \|tbs_tlv\|'s contents are. eroman 2015/08/14 21:26:12 Done. Show quoted text On 2015/08/14 17:51:42, David Benjamin wrote: > Add: The resulting ParsedTbsCertificate is valid as long as \|tbs_tlv\|'s contents > are. Done.
	34 //

	35 // Refer to the per-field documentation of ParsedTbsCertificate for details on

	36 // what validity checks parsing performs.

	37 //

	38 // TBSCertificate ::= SEQUENCE {

	39 // version [0] EXPLICIT Version DEFAULT v1,

	40 // serialNumber CertificateSerialNumber,

	41 // signature AlgorithmIdentifier,

	42 // issuer Name,

	43 // validity Validity,

	44 // subject Name,

	45 // subjectPublicKeyInfo SubjectPublicKeyInfo,

	46 // issuerUniqueID [1] IMPLICIT UniqueIdentifier OPTIONAL,

	47 // -- If present, version MUST be v2 or v3

	48 // subjectUniqueID [2] IMPLICIT UniqueIdentifier OPTIONAL,

	49 // -- If present, version MUST be v2 or v3

	50 // extensions [3] EXPLICIT Extensions OPTIONAL

	51 // -- If present, version MUST be v3

	52 // }

	53 NET_EXPORT bool ParseTbsCertificate(const der::Input& tbs_tlv,

	54 ParsedTbsCertificate* out)

	55 WARN_UNUSED_RESULT;

	56

	57 // Represents a "Version" from RFC 5280:

	58 // Version ::= INTEGER { v1(0), v2(1), v3(2) }

	59 enum class CertificateVersion {

	60 V1,

	61 V2,

	62 V3,

	63 };

	64

31 // ParsedCertificate contains pointers to the main fields of a DER-encoded RFC	65 // ParsedCertificate contains pointers to the main fields of a DER-encoded RFC

32 // 5280 "Certificate".	66 // 5280 "Certificate".

33 //	67 //

34 // ParsedCertificate is expected to be filled by ParseCertificate(), so	68 // ParsedCertificate is expected to be filled by ParseCertificate(), so

35 // subsequent field descriptions are in terms of what ParseCertificate() sets.	69 // subsequent field descriptions are in terms of what ParseCertificate() sets.

36 struct NET_EXPORT ParsedCertificate {	70 struct NET_EXPORT ParsedCertificate {

37 // Corresponds with "tbsCertificate" from RFC 5280:	71 // Corresponds with "tbsCertificate" from RFC 5280:

38 // tbsCertificate TBSCertificate,	72 // tbsCertificate TBSCertificate,

39 //	73 //

40 // This contains the full (unverified) Tag-Length-Value for a SEQUENCE. No	74 // This contains the full (unverified) Tag-Length-Value for a SEQUENCE. No

41 // guarantees are made regarding the value of this SEQUENCE.	75 // guarantees are made regarding the value of this SEQUENCE.

	76 //

	77 // This can be further parsed using ParseTbsCertificate().

42 der::Input tbs_certificate_tlv;	78 der::Input tbs_certificate_tlv;

43	79

44 // Corresponds with "signatureAlgorithm" from RFC 5280:	80 // Corresponds with "signatureAlgorithm" from RFC 5280:

45 // signatureAlgorithm AlgorithmIdentifier,	81 // signatureAlgorithm AlgorithmIdentifier,

46 //	82 //

47 // This contains the full (unverified) Tag-Length-Value for a SEQUENCE. No	83 // This contains the full (unverified) Tag-Length-Value for a SEQUENCE. No

48 // guarantees are made regarding the value of this SEQUENCE.	84 // guarantees are made regarding the value of this SEQUENCE.

49 //	85 //

50 // This can be further parsed using SignatureValue::CreateFromDer().	86 // This can be further parsed using SignatureValue::CreateFromDer().

51 der::Input signature_algorithm_tlv;	87 der::Input signature_algorithm_tlv;

52	88

53 // Corresponds with "signatureValue" from RFC 5280:	89 // Corresponds with "signatureValue" from RFC 5280:

54 // signatureValue BIT STRING }	90 // signatureValue BIT STRING }

55 //	91 //

56 // Parsing guarantees that this is a valid BIT STRING.	92 // Parsing guarantees that this is a valid BIT STRING.

57 der::BitString signature_value;	93 der::BitString signature_value;

58 };	94 };

59	95

	96 // ParsedTbsCertificate contains pointers to the main fields of a DER-encoded

	97 // RFC 5280 "TBSCertificate".

	98 //

	99 // ParsedTbsCertificate is expected to be filled by ParseTbsCertificate(), so

	100 // subsequent field descriptions are in terms of what ParseTbsCertificate()

	101 // sets.

	102 struct NET_EXPORT ParsedTbsCertificate {

	103 ParsedTbsCertificate();

	104 ~ParsedTbsCertificate();

	105

	106 // Corresponds with "version" from RFC 5280:

	107 // version [0] EXPLICIT Version DEFAULT v1,

	108 //

	109 // Parsing guarantees that the version is one of v1, v2, or v3.

	110 CertificateVersion version;

	111

	112 // Corresponds with "serialNumber" from RFC 5280:

	113 // serialNumber CertificateSerialNumber,

	114 //

	115 // This field specifically contains the content bytes of the INTEGER. So for

	116 // instance if the serial number was 1000 then this would contain bytes

	117 // {0x03, 0xE8}.

	118 //

	119 // In addition to being a valid DER-encoded INTEGER, parsing guarantees that

	120 // the serial number is at most 20 bytes long. Parsing does NOT guarantee

	121 // that the integer is positive (might be zero or negative).

	122 der::Input serial_number;

	123

	124 // Corresponds with "signatureAlgorithm" from RFC 5280:

	125 // signatureAlgorithm AlgorithmIdentifier,

	126 //

	127 // This contains the full (unverified) Tag-Length-Value for a SEQUENCE. No

	128 // guarantees are made regarding the value of this SEQUENCE.

	129 //

	130 // This can be further parsed using SignatureValue::CreateFromDer().

	131 der::Input signature_algorithm_tlv;

	132

	133 // Corresponds with "issuer" from RFC 5280:

	134 // issuer Name,

	135 //

	136 // This contains the full (unverified) Tag-Length-Value for a SEQUENCE. No

	137 // guarantees are made regarding the value of this SEQUENCE.

	138 der::Input issuer_tlv;

	139

	140 // Corresponds with "validity" from RFC 5280:

	141 // validity Validity,

	142 //

	143 // This contains the full (unverified) Tag-Length-Value for a SEQUENCE. No

	144 // guarantees are made regarding the value of this SEQUENCE.

	145 der::Input validity_tlv;

	146

	147 // Corresponds with "subject" from RFC 5280:

	148 // subject Name,

	149 //

	150 // This contains the full (unverified) Tag-Length-Value for a SEQUENCE. No

	151 // guarantees are made regarding the value of this SEQUENCE.

	152 der::Input subject_tlv;

	153

	154 // Corresponds with "subjectPublicKeyInfo" from RFC 5280:

	155 // subjectPublicKeyInfo SubjectPublicKeyInfo,

	156 //

	157 // This contains the full (unverified) Tag-Length-Value for a SEQUENCE. No

	158 // guarantees are made regarding the value of this SEQUENCE.

	159 der::Input spki_tlv;

	160

	161 // Corresponds with "issuerUniqueID" from RFC 5280:

	162 // issuerUniqueID [1] IMPLICIT UniqueIdentifier OPTIONAL,

	163 // -- If present, version MUST be v2 or v3

	164 //

	165 // Parsing guarantees that if issuer_unique_id is present it is a valid BIT

	166 // STRING, and that the version is either v2 or v3

	167 bool has_issuer_unique_id;

	168 der::BitString issuer_unique_id;

	169

	170 // Corresponds with "subjectUniqueID" from RFC 5280:

	171 // subjectUniqueID [2] IMPLICIT UniqueIdentifier OPTIONAL,

	172 // -- If present, version MUST be v2 or v3

	173 //

	174 // Parsing guarantees that if subject_unique_id is present it is a valid BIT

	175 // STRING, and that the version is either v2 or v3

	176 bool has_subject_unique_id;

	177 der::BitString subject_unique_id;

	178

	179 // Corresponds with "extensions" from RFC 5280:

	180 // extensions [3] EXPLICIT Extensions OPTIONAL

	181 // -- If present, version MUST be v3

	182 //

	183 //

	184 // This contains the full (unverified) Tag-Length-Value for a SEQUENCE. No

	185 // guarantees are made regarding the value of this SEQUENCE. (Note that the

	186 // EXPLICIT outter tag was stripped).
	davidben 2015/08/14 17:51:42 outter -> outer was -> is? ). -> .) (I was always outter -> outer was -> is? ). -> .) (I was always taught that you put the period inside the parens if a full sentence is a parenthetical.) eroman 2015/08/14 21:26:13 Done. Show quoted text On 2015/08/14 17:51:42, David Benjamin wrote: > outter -> outer > was -> is? > ). -> .) (I was always taught that you put the period inside the parens if a > full sentence is a parenthetical.) Done.
	187 //

	188 // Parsing guarantees that if extensions is present the version is v3.

	189 bool has_extensions;

	190 der::Input extensions_tlv;

	191 };

	192

60 } // namespace net	193 } // namespace net

61	194

62 #endif // NET_CERT_INTERNAL_PARSE_CERTIFICATE_H_	195 #endif // NET_CERT_INTERNAL_PARSE_CERTIFICATE_H_

OLD	NEW

« no previous file with comments | « no previous file | net/cert/internal/parse_certificate.cc » ('j') | net/cert/internal/parse_certificate.cc » ('J')