Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(74)

Side by Side Diff: net/cert/internal/parse_certificate.h

Issue 1279963003: Add a function for parsing RFC 5280's "TBSCertificate". (Closed) Base URL: https://chromium.googlesource.com/chromium/src.git@cert_mapper
Patch Set: rebase onto master Created 5 years, 4 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View unified diff | Download patch
OLDNEW
1 // Copyright 2015 The Chromium Authors. All rights reserved. 1 // Copyright 2015 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be 2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file. 3 // found in the LICENSE file.
4 4
5 #ifndef NET_CERT_INTERNAL_PARSE_CERTIFICATE_H_ 5 #ifndef NET_CERT_INTERNAL_PARSE_CERTIFICATE_H_
6 #define NET_CERT_INTERNAL_PARSE_CERTIFICATE_H_ 6 #define NET_CERT_INTERNAL_PARSE_CERTIFICATE_H_
7 7
8 #include "base/basictypes.h" 8 #include "base/basictypes.h"
9 #include "base/compiler_specific.h" 9 #include "base/compiler_specific.h"
10 #include "net/base/net_export.h" 10 #include "net/base/net_export.h"
11 #include "net/der/input.h" 11 #include "net/der/input.h"
12 #include "net/der/parse_values.h" 12 #include "net/der/parse_values.h"
13 13
14 namespace net { 14 namespace net {
15 15
16 struct ParsedCertificate; 16 struct ParsedCertificate;
17 struct ParsedTbsCertificate;
davidben 2015/08/14 17:51:42 [Whatever we end up doing for the other CL, do for
eroman 2015/08/14 21:26:13 Acknowledged.
17 18
18 // Parses a DER-encoded "Certificate" as specified by RFC 5280. Returns true on 19 // Parses a DER-encoded "Certificate" as specified by RFC 5280. Returns true on
19 // success and sets the results in |out|. 20 // success and sets the results in |out|.
20 // 21 //
21 // Refer to the per-field documention of the ParsedCertificate structure for 22 // Refer to the per-field documention of the ParsedCertificate structure for
22 // details on what validity checks parsing performs. 23 // details on what validity checks parsing performs.
23 // 24 //
24 // Certificate ::= SEQUENCE { 25 // Certificate ::= SEQUENCE {
25 // tbsCertificate TBSCertificate, 26 // tbsCertificate TBSCertificate,
26 // signatureAlgorithm AlgorithmIdentifier, 27 // signatureAlgorithm AlgorithmIdentifier,
27 // signatureValue BIT STRING } 28 // signatureValue BIT STRING }
28 NET_EXPORT bool ParseCertificate(const der::Input& certificate_tlv, 29 NET_EXPORT bool ParseCertificate(const der::Input& certificate_tlv,
29 ParsedCertificate* out) WARN_UNUSED_RESULT; 30 ParsedCertificate* out) WARN_UNUSED_RESULT;
30 31
32 // Parses a DER-encoded "TBSCertificate" as specified by RFC 5280. Returns true
33 // on success and sets the results in |out|.
davidben 2015/08/14 17:51:42 Add: The resulting ParsedTbsCertificate is valid a
eroman 2015/08/14 21:26:12 Done.
34 //
35 // Refer to the per-field documentation of ParsedTbsCertificate for details on
36 // what validity checks parsing performs.
37 //
38 // TBSCertificate ::= SEQUENCE {
39 // version [0] EXPLICIT Version DEFAULT v1,
40 // serialNumber CertificateSerialNumber,
41 // signature AlgorithmIdentifier,
42 // issuer Name,
43 // validity Validity,
44 // subject Name,
45 // subjectPublicKeyInfo SubjectPublicKeyInfo,
46 // issuerUniqueID [1] IMPLICIT UniqueIdentifier OPTIONAL,
47 // -- If present, version MUST be v2 or v3
48 // subjectUniqueID [2] IMPLICIT UniqueIdentifier OPTIONAL,
49 // -- If present, version MUST be v2 or v3
50 // extensions [3] EXPLICIT Extensions OPTIONAL
51 // -- If present, version MUST be v3
52 // }
53 NET_EXPORT bool ParseTbsCertificate(const der::Input& tbs_tlv,
54 ParsedTbsCertificate* out)
55 WARN_UNUSED_RESULT;
56
57 // Represents a "Version" from RFC 5280:
58 // Version ::= INTEGER { v1(0), v2(1), v3(2) }
59 enum class CertificateVersion {
60 V1,
61 V2,
62 V3,
63 };
64
31 // ParsedCertificate contains pointers to the main fields of a DER-encoded RFC 65 // ParsedCertificate contains pointers to the main fields of a DER-encoded RFC
32 // 5280 "Certificate". 66 // 5280 "Certificate".
33 // 67 //
34 // ParsedCertificate is expected to be filled by ParseCertificate(), so 68 // ParsedCertificate is expected to be filled by ParseCertificate(), so
35 // subsequent field descriptions are in terms of what ParseCertificate() sets. 69 // subsequent field descriptions are in terms of what ParseCertificate() sets.
36 struct NET_EXPORT ParsedCertificate { 70 struct NET_EXPORT ParsedCertificate {
37 // Corresponds with "tbsCertificate" from RFC 5280: 71 // Corresponds with "tbsCertificate" from RFC 5280:
38 // tbsCertificate TBSCertificate, 72 // tbsCertificate TBSCertificate,
39 // 73 //
40 // This contains the full (unverified) Tag-Length-Value for a SEQUENCE. No 74 // This contains the full (unverified) Tag-Length-Value for a SEQUENCE. No
41 // guarantees are made regarding the value of this SEQUENCE. 75 // guarantees are made regarding the value of this SEQUENCE.
76 //
77 // This can be further parsed using ParseTbsCertificate().
42 der::Input tbs_certificate_tlv; 78 der::Input tbs_certificate_tlv;
43 79
44 // Corresponds with "signatureAlgorithm" from RFC 5280: 80 // Corresponds with "signatureAlgorithm" from RFC 5280:
45 // signatureAlgorithm AlgorithmIdentifier, 81 // signatureAlgorithm AlgorithmIdentifier,
46 // 82 //
47 // This contains the full (unverified) Tag-Length-Value for a SEQUENCE. No 83 // This contains the full (unverified) Tag-Length-Value for a SEQUENCE. No
48 // guarantees are made regarding the value of this SEQUENCE. 84 // guarantees are made regarding the value of this SEQUENCE.
49 // 85 //
50 // This can be further parsed using SignatureValue::CreateFromDer(). 86 // This can be further parsed using SignatureValue::CreateFromDer().
51 der::Input signature_algorithm_tlv; 87 der::Input signature_algorithm_tlv;
52 88
53 // Corresponds with "signatureValue" from RFC 5280: 89 // Corresponds with "signatureValue" from RFC 5280:
54 // signatureValue BIT STRING } 90 // signatureValue BIT STRING }
55 // 91 //
56 // Parsing guarantees that this is a valid BIT STRING. 92 // Parsing guarantees that this is a valid BIT STRING.
57 der::BitString signature_value; 93 der::BitString signature_value;
58 }; 94 };
59 95
96 // ParsedTbsCertificate contains pointers to the main fields of a DER-encoded
97 // RFC 5280 "TBSCertificate".
98 //
99 // ParsedTbsCertificate is expected to be filled by ParseTbsCertificate(), so
100 // subsequent field descriptions are in terms of what ParseTbsCertificate()
101 // sets.
102 struct NET_EXPORT ParsedTbsCertificate {
103 ParsedTbsCertificate();
104 ~ParsedTbsCertificate();
105
106 // Corresponds with "version" from RFC 5280:
107 // version [0] EXPLICIT Version DEFAULT v1,
108 //
109 // Parsing guarantees that the version is one of v1, v2, or v3.
110 CertificateVersion version;
111
112 // Corresponds with "serialNumber" from RFC 5280:
113 // serialNumber CertificateSerialNumber,
114 //
115 // This field specifically contains the content bytes of the INTEGER. So for
116 // instance if the serial number was 1000 then this would contain bytes
117 // {0x03, 0xE8}.
118 //
119 // In addition to being a valid DER-encoded INTEGER, parsing guarantees that
120 // the serial number is at most 20 bytes long. Parsing does NOT guarantee
121 // that the integer is positive (might be zero or negative).
122 der::Input serial_number;
123
124 // Corresponds with "signatureAlgorithm" from RFC 5280:
125 // signatureAlgorithm AlgorithmIdentifier,
126 //
127 // This contains the full (unverified) Tag-Length-Value for a SEQUENCE. No
128 // guarantees are made regarding the value of this SEQUENCE.
129 //
130 // This can be further parsed using SignatureValue::CreateFromDer().
131 der::Input signature_algorithm_tlv;
132
133 // Corresponds with "issuer" from RFC 5280:
134 // issuer Name,
135 //
136 // This contains the full (unverified) Tag-Length-Value for a SEQUENCE. No
137 // guarantees are made regarding the value of this SEQUENCE.
138 der::Input issuer_tlv;
139
140 // Corresponds with "validity" from RFC 5280:
141 // validity Validity,
142 //
143 // This contains the full (unverified) Tag-Length-Value for a SEQUENCE. No
144 // guarantees are made regarding the value of this SEQUENCE.
145 der::Input validity_tlv;
146
147 // Corresponds with "subject" from RFC 5280:
148 // subject Name,
149 //
150 // This contains the full (unverified) Tag-Length-Value for a SEQUENCE. No
151 // guarantees are made regarding the value of this SEQUENCE.
152 der::Input subject_tlv;
153
154 // Corresponds with "subjectPublicKeyInfo" from RFC 5280:
155 // subjectPublicKeyInfo SubjectPublicKeyInfo,
156 //
157 // This contains the full (unverified) Tag-Length-Value for a SEQUENCE. No
158 // guarantees are made regarding the value of this SEQUENCE.
159 der::Input spki_tlv;
160
161 // Corresponds with "issuerUniqueID" from RFC 5280:
162 // issuerUniqueID [1] IMPLICIT UniqueIdentifier OPTIONAL,
163 // -- If present, version MUST be v2 or v3
164 //
165 // Parsing guarantees that if issuer_unique_id is present it is a valid BIT
166 // STRING, and that the version is either v2 or v3
167 bool has_issuer_unique_id;
168 der::BitString issuer_unique_id;
169
170 // Corresponds with "subjectUniqueID" from RFC 5280:
171 // subjectUniqueID [2] IMPLICIT UniqueIdentifier OPTIONAL,
172 // -- If present, version MUST be v2 or v3
173 //
174 // Parsing guarantees that if subject_unique_id is present it is a valid BIT
175 // STRING, and that the version is either v2 or v3
176 bool has_subject_unique_id;
177 der::BitString subject_unique_id;
178
179 // Corresponds with "extensions" from RFC 5280:
180 // extensions [3] EXPLICIT Extensions OPTIONAL
181 // -- If present, version MUST be v3
182 //
183 //
184 // This contains the full (unverified) Tag-Length-Value for a SEQUENCE. No
185 // guarantees are made regarding the value of this SEQUENCE. (Note that the
186 // EXPLICIT outter tag was stripped).
davidben 2015/08/14 17:51:42 outter -> outer was -> is? ). -> .) (I was always
eroman 2015/08/14 21:26:13 Done.
187 //
188 // Parsing guarantees that if extensions is present the version is v3.
189 bool has_extensions;
190 der::Input extensions_tlv;
191 };
192
60 } // namespace net 193 } // namespace net
61 194
62 #endif // NET_CERT_INTERNAL_PARSE_CERTIFICATE_H_ 195 #endif // NET_CERT_INTERNAL_PARSE_CERTIFICATE_H_
OLDNEW
« no previous file with comments | « no previous file | net/cert/internal/parse_certificate.cc » ('j') | net/cert/internal/parse_certificate.cc » ('J')

Powered by Google App Engine
This is Rietveld 408576698