OLD | NEW |
---|---|
1 // Copyright 2015 The Chromium Authors. All rights reserved. | 1 // Copyright 2015 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 #ifndef NET_CERT_INTERNAL_PARSE_CERTIFICATE_H_ | 5 #ifndef NET_CERT_INTERNAL_PARSE_CERTIFICATE_H_ |
6 #define NET_CERT_INTERNAL_PARSE_CERTIFICATE_H_ | 6 #define NET_CERT_INTERNAL_PARSE_CERTIFICATE_H_ |
7 | 7 |
8 #include "base/basictypes.h" | 8 #include "base/basictypes.h" |
9 #include "base/compiler_specific.h" | 9 #include "base/compiler_specific.h" |
10 #include "net/base/net_export.h" | 10 #include "net/base/net_export.h" |
11 #include "net/der/input.h" | 11 #include "net/der/input.h" |
12 #include "net/der/parse_values.h" | 12 #include "net/der/parse_values.h" |
13 | 13 |
14 namespace net { | 14 namespace net { |
15 | 15 |
16 struct ParsedCertificate; | 16 struct ParsedCertificate; |
17 struct ParsedTbsCertificate; | |
davidben
2015/08/14 17:51:42
[Whatever we end up doing for the other CL, do for
eroman
2015/08/14 21:26:13
Acknowledged.
| |
17 | 18 |
18 // Parses a DER-encoded "Certificate" as specified by RFC 5280. Returns true on | 19 // Parses a DER-encoded "Certificate" as specified by RFC 5280. Returns true on |
19 // success and sets the results in |out|. | 20 // success and sets the results in |out|. |
20 // | 21 // |
21 // Refer to the per-field documention of the ParsedCertificate structure for | 22 // Refer to the per-field documention of the ParsedCertificate structure for |
22 // details on what validity checks parsing performs. | 23 // details on what validity checks parsing performs. |
23 // | 24 // |
24 // Certificate ::= SEQUENCE { | 25 // Certificate ::= SEQUENCE { |
25 // tbsCertificate TBSCertificate, | 26 // tbsCertificate TBSCertificate, |
26 // signatureAlgorithm AlgorithmIdentifier, | 27 // signatureAlgorithm AlgorithmIdentifier, |
27 // signatureValue BIT STRING } | 28 // signatureValue BIT STRING } |
28 NET_EXPORT bool ParseCertificate(const der::Input& certificate_tlv, | 29 NET_EXPORT bool ParseCertificate(const der::Input& certificate_tlv, |
29 ParsedCertificate* out) WARN_UNUSED_RESULT; | 30 ParsedCertificate* out) WARN_UNUSED_RESULT; |
30 | 31 |
32 // Parses a DER-encoded "TBSCertificate" as specified by RFC 5280. Returns true | |
33 // on success and sets the results in |out|. | |
davidben
2015/08/14 17:51:42
Add: The resulting ParsedTbsCertificate is valid a
eroman
2015/08/14 21:26:12
Done.
| |
34 // | |
35 // Refer to the per-field documentation of ParsedTbsCertificate for details on | |
36 // what validity checks parsing performs. | |
37 // | |
38 // TBSCertificate ::= SEQUENCE { | |
39 // version [0] EXPLICIT Version DEFAULT v1, | |
40 // serialNumber CertificateSerialNumber, | |
41 // signature AlgorithmIdentifier, | |
42 // issuer Name, | |
43 // validity Validity, | |
44 // subject Name, | |
45 // subjectPublicKeyInfo SubjectPublicKeyInfo, | |
46 // issuerUniqueID [1] IMPLICIT UniqueIdentifier OPTIONAL, | |
47 // -- If present, version MUST be v2 or v3 | |
48 // subjectUniqueID [2] IMPLICIT UniqueIdentifier OPTIONAL, | |
49 // -- If present, version MUST be v2 or v3 | |
50 // extensions [3] EXPLICIT Extensions OPTIONAL | |
51 // -- If present, version MUST be v3 | |
52 // } | |
53 NET_EXPORT bool ParseTbsCertificate(const der::Input& tbs_tlv, | |
54 ParsedTbsCertificate* out) | |
55 WARN_UNUSED_RESULT; | |
56 | |
57 // Represents a "Version" from RFC 5280: | |
58 // Version ::= INTEGER { v1(0), v2(1), v3(2) } | |
59 enum class CertificateVersion { | |
60 V1, | |
61 V2, | |
62 V3, | |
63 }; | |
64 | |
31 // ParsedCertificate contains pointers to the main fields of a DER-encoded RFC | 65 // ParsedCertificate contains pointers to the main fields of a DER-encoded RFC |
32 // 5280 "Certificate". | 66 // 5280 "Certificate". |
33 // | 67 // |
34 // ParsedCertificate is expected to be filled by ParseCertificate(), so | 68 // ParsedCertificate is expected to be filled by ParseCertificate(), so |
35 // subsequent field descriptions are in terms of what ParseCertificate() sets. | 69 // subsequent field descriptions are in terms of what ParseCertificate() sets. |
36 struct NET_EXPORT ParsedCertificate { | 70 struct NET_EXPORT ParsedCertificate { |
37 // Corresponds with "tbsCertificate" from RFC 5280: | 71 // Corresponds with "tbsCertificate" from RFC 5280: |
38 // tbsCertificate TBSCertificate, | 72 // tbsCertificate TBSCertificate, |
39 // | 73 // |
40 // This contains the full (unverified) Tag-Length-Value for a SEQUENCE. No | 74 // This contains the full (unverified) Tag-Length-Value for a SEQUENCE. No |
41 // guarantees are made regarding the value of this SEQUENCE. | 75 // guarantees are made regarding the value of this SEQUENCE. |
76 // | |
77 // This can be further parsed using ParseTbsCertificate(). | |
42 der::Input tbs_certificate_tlv; | 78 der::Input tbs_certificate_tlv; |
43 | 79 |
44 // Corresponds with "signatureAlgorithm" from RFC 5280: | 80 // Corresponds with "signatureAlgorithm" from RFC 5280: |
45 // signatureAlgorithm AlgorithmIdentifier, | 81 // signatureAlgorithm AlgorithmIdentifier, |
46 // | 82 // |
47 // This contains the full (unverified) Tag-Length-Value for a SEQUENCE. No | 83 // This contains the full (unverified) Tag-Length-Value for a SEQUENCE. No |
48 // guarantees are made regarding the value of this SEQUENCE. | 84 // guarantees are made regarding the value of this SEQUENCE. |
49 // | 85 // |
50 // This can be further parsed using SignatureValue::CreateFromDer(). | 86 // This can be further parsed using SignatureValue::CreateFromDer(). |
51 der::Input signature_algorithm_tlv; | 87 der::Input signature_algorithm_tlv; |
52 | 88 |
53 // Corresponds with "signatureValue" from RFC 5280: | 89 // Corresponds with "signatureValue" from RFC 5280: |
54 // signatureValue BIT STRING } | 90 // signatureValue BIT STRING } |
55 // | 91 // |
56 // Parsing guarantees that this is a valid BIT STRING. | 92 // Parsing guarantees that this is a valid BIT STRING. |
57 der::BitString signature_value; | 93 der::BitString signature_value; |
58 }; | 94 }; |
59 | 95 |
96 // ParsedTbsCertificate contains pointers to the main fields of a DER-encoded | |
97 // RFC 5280 "TBSCertificate". | |
98 // | |
99 // ParsedTbsCertificate is expected to be filled by ParseTbsCertificate(), so | |
100 // subsequent field descriptions are in terms of what ParseTbsCertificate() | |
101 // sets. | |
102 struct NET_EXPORT ParsedTbsCertificate { | |
103 ParsedTbsCertificate(); | |
104 ~ParsedTbsCertificate(); | |
105 | |
106 // Corresponds with "version" from RFC 5280: | |
107 // version [0] EXPLICIT Version DEFAULT v1, | |
108 // | |
109 // Parsing guarantees that the version is one of v1, v2, or v3. | |
110 CertificateVersion version; | |
111 | |
112 // Corresponds with "serialNumber" from RFC 5280: | |
113 // serialNumber CertificateSerialNumber, | |
114 // | |
115 // This field specifically contains the content bytes of the INTEGER. So for | |
116 // instance if the serial number was 1000 then this would contain bytes | |
117 // {0x03, 0xE8}. | |
118 // | |
119 // In addition to being a valid DER-encoded INTEGER, parsing guarantees that | |
120 // the serial number is at most 20 bytes long. Parsing does NOT guarantee | |
121 // that the integer is positive (might be zero or negative). | |
122 der::Input serial_number; | |
123 | |
124 // Corresponds with "signatureAlgorithm" from RFC 5280: | |
125 // signatureAlgorithm AlgorithmIdentifier, | |
126 // | |
127 // This contains the full (unverified) Tag-Length-Value for a SEQUENCE. No | |
128 // guarantees are made regarding the value of this SEQUENCE. | |
129 // | |
130 // This can be further parsed using SignatureValue::CreateFromDer(). | |
131 der::Input signature_algorithm_tlv; | |
132 | |
133 // Corresponds with "issuer" from RFC 5280: | |
134 // issuer Name, | |
135 // | |
136 // This contains the full (unverified) Tag-Length-Value for a SEQUENCE. No | |
137 // guarantees are made regarding the value of this SEQUENCE. | |
138 der::Input issuer_tlv; | |
139 | |
140 // Corresponds with "validity" from RFC 5280: | |
141 // validity Validity, | |
142 // | |
143 // This contains the full (unverified) Tag-Length-Value for a SEQUENCE. No | |
144 // guarantees are made regarding the value of this SEQUENCE. | |
145 der::Input validity_tlv; | |
146 | |
147 // Corresponds with "subject" from RFC 5280: | |
148 // subject Name, | |
149 // | |
150 // This contains the full (unverified) Tag-Length-Value for a SEQUENCE. No | |
151 // guarantees are made regarding the value of this SEQUENCE. | |
152 der::Input subject_tlv; | |
153 | |
154 // Corresponds with "subjectPublicKeyInfo" from RFC 5280: | |
155 // subjectPublicKeyInfo SubjectPublicKeyInfo, | |
156 // | |
157 // This contains the full (unverified) Tag-Length-Value for a SEQUENCE. No | |
158 // guarantees are made regarding the value of this SEQUENCE. | |
159 der::Input spki_tlv; | |
160 | |
161 // Corresponds with "issuerUniqueID" from RFC 5280: | |
162 // issuerUniqueID [1] IMPLICIT UniqueIdentifier OPTIONAL, | |
163 // -- If present, version MUST be v2 or v3 | |
164 // | |
165 // Parsing guarantees that if issuer_unique_id is present it is a valid BIT | |
166 // STRING, and that the version is either v2 or v3 | |
167 bool has_issuer_unique_id; | |
168 der::BitString issuer_unique_id; | |
169 | |
170 // Corresponds with "subjectUniqueID" from RFC 5280: | |
171 // subjectUniqueID [2] IMPLICIT UniqueIdentifier OPTIONAL, | |
172 // -- If present, version MUST be v2 or v3 | |
173 // | |
174 // Parsing guarantees that if subject_unique_id is present it is a valid BIT | |
175 // STRING, and that the version is either v2 or v3 | |
176 bool has_subject_unique_id; | |
177 der::BitString subject_unique_id; | |
178 | |
179 // Corresponds with "extensions" from RFC 5280: | |
180 // extensions [3] EXPLICIT Extensions OPTIONAL | |
181 // -- If present, version MUST be v3 | |
182 // | |
183 // | |
184 // This contains the full (unverified) Tag-Length-Value for a SEQUENCE. No | |
185 // guarantees are made regarding the value of this SEQUENCE. (Note that the | |
186 // EXPLICIT outter tag was stripped). | |
davidben
2015/08/14 17:51:42
outter -> outer
was -> is?
). -> .) (I was always
eroman
2015/08/14 21:26:13
Done.
| |
187 // | |
188 // Parsing guarantees that if extensions is present the version is v3. | |
189 bool has_extensions; | |
190 der::Input extensions_tlv; | |
191 }; | |
192 | |
60 } // namespace net | 193 } // namespace net |
61 | 194 |
62 #endif // NET_CERT_INTERNAL_PARSE_CERTIFICATE_H_ | 195 #endif // NET_CERT_INTERNAL_PARSE_CERTIFICATE_H_ |
OLD | NEW |